On 2014-06-30 12:20, Hubert Kario wrote:
From: "Kurt Roeckx" <k...@roeckx.be>
On 2014-06-30 02:35, Hubert Kario wrote:
I have to disagree here. Even 1024 bit DHE requires a targeted attack at
~80 bit
complexity. Currently we see RC4 at around 56 bit, with a completely
unoptimized
attack...
Do you have a reference for those 56 bit?
My estimation.
http://www.isg.rhul.ac.uk/tls/
requires 2^30 sessions with 2^8 computations to recover full text.
And it requires 2^24 sessions and 2^8 computations to recover some bytes.
Please note that those are 2^30 sessions with the same plain text. That
is hopefully not done by just monitoring.
Even if the equivalence is higher, capturing 2^10 of sessions won't
require extended monitoring. If we then say that this then requires 2^67
computations (over 3 to 1 equivalence) the cost of that is around $250000
using EC2. That's mafia kind of money, not NSA.
As far as I know the attack is purely based on statistics. Throwing
more CPU time at it won't suddenly change the statistics. For the
attack to work you need more data not more CPU time.
Kurt
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
