-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 09:52 24/06/97 -6, Peter Trei wrote:

Adam Back writes.

...

About 10 years ago now Michael Wiener made a design for such a DES breaking machine. He estimated it would cost $10,000,000 to build a machine which would break a 56 bit DES encrypted message a few hours. His machine was scalable, pay more money, break the key faster,

<...> pay

...

less take longer. The estimate was that could build one with enough DES key searching units to break it in a day for $1,000,000. That was 10 years ago. 10 years is a long time in the computer industry. Nowadays you build the machine more cheaply as chip technology has progressed, and computers are much faster per $. Estimates are around $100,000 to build the machine (neglecting hardware engineers consultancy fees).

Go back and check the numbers - if you don't the journalists will. (I don't have this paper to hand either :-( ) The Wiener paper is much more recent (93?) , and the cost much lower (I think it was about $1M for HW and $500K for development costs, for a 3.5 hour machine).

Relevant section of AC2 is Table 7.1 (page 153) The numbers referred to above are slightly out: In 1995, $1M would give you a machine that would break 56-bit DES in an average of 3.5 hours A $10M machine would break 56-bit DES in an average of 21 minutes [Double the times for an exhaustive keysearch] <...> -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBM6/l3+Kk4yfQWUNhEQKW2ACgtC4Jpwy7TCPdXdvUkGuXrwiPDUMAoKD6 1XnG5v2Z9gJzQyrwQ8G4mJ1z =zOLc -----END PGP SIGNATURE----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ David Lucas - Test Engineer @ SCO Cambridge. E-mail: davidlu@sco.com Opinions expressed within this message are my own and do not necessarily represent those of my employer * I am not a lawyer -------------------------------------------------------------------------- The light at the end of the tunnel is an oncoming train... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

At 10:54 AM -0700 6/24/97, Adam Back wrote:

Re comments that I should re-read the paper, here is what Wiener's paper says about estimated costs of a specialized DES key breaker:

$100,000 for a machine to break DES in an average of 35 hrs $1 mil for a machine to break DES in an average of 3.5 hrs $10 mil for a machine to break DES in an average of 21 mins ... 35 hours sounds a reasonable amount of time to break a Swift banking transfer key protecting trillions of dollars of funds.

Show me the money! A DES break that resulted in a loss of several tens of millions of dollars, suitably publicized, would be both educational and rewarding. We often talk about the "threat model." But what's the _profit model_ for breaking DES? Can money be made by breaking a SWIFT transfer in approx. 35 hours? (Personally, I doubt it. Between increasing use of 3DES and "time windows" which are probably much shorter than tens of hours, I doubt a Wiener machine would be of much use to a hacker.) Of course, the payoffs could be huge. If the banking system is really vulnerable to this sort of attack, then why has some private group not financed the building of a Wiener machine? (I know many people who could pay for such a machine out of "spare cash," if the profits/risks were there; I'm not saying *I* would, of course, only that the amounts are not so high. The cheapest of the listed machines above is comparable in price to a Jaguar XK8.) Is anyone publishing on this? Are the details of the SWIFT and similar interbank transfer systems available anywhere? (What kind of out-of-band checksums may exist? What kind of callback systems? What window of opportunity exists if a single DES key is found? Is it useful?) --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."

Tim May writes:

At 10:54 AM -0700 6/24/97, Adam Back wrote:

...

$100,000 for a machine to break DES in an average of 35 hrs

...

...

35 hours sounds a reasonable amount of time to break a Swift banking transfer key protecting trillions of dollars of funds.

Show me the money! A DES break that resulted in a loss of several tens of millions of dollars, suitably publicized, would be both educational and rewarding.

We often talk about the "threat model." But what's the _profit model_ for breaking DES?

Who says it hasn't been done? It's not as if the banks would be keen to advertise this. You remember a while back some Russians (including one "mathematician" according to news reports) had succeeded in fleecing a US bank of several mil and routing the money to various banks around the world. Until they got caught. The news reports said the US bank(s) wanted to talk to him to find out how he did it. I was always curious as to what that Russian did to crack bank security. I conjecture that it is possible that he built a wiener machine, and that the bank hushed up the story. (And switched to 3DES post haste:-) Also re. $100k = price of a ferrari and there are plenty of mobsters around with that kind of money, that price was 1993 price. Maybe at 1997 prices $100k would get you down to a few hours again. How small are the moving windows? Re. the "profit model" there were several possibilities discussed around the time the DES crack was starting, before Peter Trei persuaded RSA to make a challenge. One was a european ATM card which had a master DES key, and this was part of some standardisation thing (each bank had it's own DES key, plus all participating banks allowed this master key). But it's not much fun making profit off ATM machines -- they have cameras in them, and the cash you can draw on one card in a 24hr period isn't that much. You'd have to produce hundreds of faked cards, and have a whole host of accomplices running around emptying cash machines. Tricky logistics, many participants -> increased chance of getting caught. Not that easy to cash in on. One factor that hasn't really been discussed much is the possibility of amortizing cost. You build the DES breaking machine, and if you use it to break 1000 DES keys, that's $1k per key. Starting to open up even lower end applications with good organisation. I'm sure there were a couple of things discussed where there were some interbank transfers which relied on DES. Moving window means you've got to break the keys fast, as you say. Also I wonder how easy it is to siphon the money and make it disappear with all the auditing. (aka may be you could invest 1 mil and build a fast key breaker, transfer lots of money, but so what if the audit trail points fairly and squarely at you? Cash the money quick and buy unconditional immunity in Belzize?) btw I now have a text only version of the wiener paper up on: http://www.dcs.ex.ac.uk/~aba/crypto-papers/ sans diagrams. (ps2ascii is your friend). As well as the postscript. Some people can't handle postscript. Adam -- Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0