[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The Next Y2K Problem (?)



On Sun, 19 Jul 1998, Shlomi Fish wrote:

Warning: I'm not a crypto expert

> At the moment there are computer systems all over the world that rely on
> 40 bits passwords encryption or a a worst encryption scheme. The main
> reason for that is the various bans imposed by the U.S. government and
> other governments on the use of powerful encryption algorithms.
 
> At present, 40 bits encrpytion cannot be easily broken by using one's home
> computer alone. But computers are getting faster and faster all the time. 
 
> Close to that time, all the computer systems will have to be updated in
> order to prevent them from being exploited. 

No, the passwords (or salt) will have to be updated. Ever wondered why
you're asked to change your password every X days/weeks ?

> This may create a frenzy not like what the Y2K problem is causing today.

Not likely.

> Of-course, large institutions such as banks have to worry first, because
> an intruder may be willing to invest a larger sum of money to break into
> their systems.
 
Systems sold to banks and other institutions have an estimated 'life'. 
They are not supposed to work forever. The crypto problem is a part of the
estimation of the life of a system, given a known cost assumed reasonable
to be put up by a third party for penetration. In other words:  They will
sell the old iron or update it long before it gets too many holes. 

This is nothing to do with technology, the bookies who run the thing will
push for it. On their paper (?) ledgers the $X Mill. systems will be worth
$0 at a given time after purchase, at which point they will toss it into
the street in ice cold blood.

They will actually shrewdly toss it before that, as they are not stupid to
pay someone to remove the stuff, so they'll contact a used equipment
broker when the value of the equipment will be == 50% of the after-market
value of that equipment, so the broker is interested, and remove the old
iron for free ;).

Of course revolutions in computing power can turn such a 10-year provision
upside down, but there are silicon power-growth 'laws' and other
calculations that allow one to make a fairly good estimation today on what
computers will be able to do in say, 5 years from now.

> Does anyone have, or can show me to data that will enable us to estimate
> at what year will 40-bit, 64-bit, etc. data encryption algorithms will
> become ineffective?

If by 'ineffective' you mean that anyone can break the code in 30 seconds
with a computer bought wholesale, no. But for DES and other algorythms
there is data on the web for estimations about how long (and what
computers) it takes to break a certain code. 

Please search the web, especially around the RC5 cracker pages, there are
a lot of links to places of interest.

Peter