Peter Shank said a lot of things I agree with in his response to Damien Doligez' break of an SSL/RC4-40 transaction, and one thing that seems to miss the point.
From: shank@netscape.com (Peter Shank) Subject: Netscape security
2. The standard way to determine the level of security of any encryption scheme is to compare the cost of breaking it versus the value of the information that can be gained. In this case he had to use roughly
Agreed.
$10,000 worth of computing power (ballpark figure for having access to 120 workstations and a few parallel supecomputers for 8 days) to break a single message. Assuming the message is protecting something of less value than $10,000, then this information can be protected with only RC4-40 security. For information of greater value, currently available RC4-128 security should be used.
However, the cost of breaking it to Doligez was essentially nil. The machines to which he had access were otherwise idle, and no other users were competing for them. The virtually simultaneous break by David Byers in the team led by Adam Back was the same: idle cycles. In fact, Byers was delayed because a real project needed cycles on that machine. I would hazard a guess that 90% of the compute cycles in the world are used running screen savers... this gives a <lot> of slack for people who would like to harness them to perform productive work like making points about the strength of security. I would have to say the marginal value of compute cycles is approximately $0 until enough compute hogs come along to eat from the idle cycle trough.
3. Inside the US, software can support a range of stronger encryption options, including RC4-128, which is 2^88 times harder to break.
Absolutely. It's incredibly annoying that companies like Netscape who understand how to get good transaction security have to settle for "almost good enough" -- the computing cost of the extra security is almost nil.
We would appreciate your support in lobbying the U.S. government to lift the export controls on encryption. If you'd like to help us lobby the government send email to export@netscape.com.
Yes!
Finally, we'd like to reiterate that all this person has done is decrypt one single RC4-40 message. RC4 the algorithm and products which use the algorithm remain as secure as always.
Yes, but with idle cycles contributed by volunteers the decryption time on a single RC4-40 message can very likely be reduced to a day or so at no marginal cost to owners of existing machines... which is the whole point. Cracking weak crypto is free, and can be combatted only by implementing strong crypto. Jim Gillogly Highday, 25 Wedmath S.R. 1995, 17:08