[rc5] Re: Aren't we missing the point. WAS: Getting a few more keys/se

Tom Wheeler tomw at intelligraphics.com
Thu Jul 24 14:36:41 EDT 1997

On Thu, 24 Jul 1997 12:43:56 -0400, Paul Leskinen wrote:

>Speaking of missing the point (and I know I'm gonna' get flamed for this
>one...),  I thought the point of the whole effort was to "prove" that
>56-bit encryption is not strong enough to be an international standard. It
>seems to me that we're kind of proving the opposite--here we have a fairly
>well-organized effort to crack the key, and it still takes 10,000 computers
>over a year (roughly) to check all the keys.  Once we have the key, what
>would we do with it?  Most systems that use encryption use a dynamic key
>exchange fairly often (no less than once a day).  If that's true, then what
>good is finding a key in a year, or even a month, if it can't be used for

Keep in mind first of all that the number of clients grows daily. 
10,000 computers is not very many people.  I wouldn't be surprised to
see that figure triple, as more people become aware of the project.

Speaking of which, <evangelism> everybody involved needs to talk to
friends and get them involved - especially if they can get several
machines going </evangelism>.

Second, the goal is to show that it can be done - by regular people,
even.  As long as it hasn't been broken, people will assume it's safe. 
Once it's been broken, people will be less likely to trust it.

Third, people who have lots of money to spend (governments and large
corporations) have specialized computers that can find keys much, much
faster than a PC or Unix workstation.  I'm sure the U.S. government can
break RC5-56 in short order.

>Another point worth considering is that our method works great (albeit
>slowly) if you know what you're looking for (i.e. the encrypted message),
>but what about the case where the encrypted data is just random binary
>data?  How would you know that you've found the correct key?

There's no such thing as "random binary data" (barring a list of random
numbers).  All data has some order to it.  I would assume that in most
cases the cracker is going to know at least part of that order - a
header, particular string, or whatever.  In addition, while I don't
know much about cryptography, I would assume that a key could be
checked by simply encrypting the plaintext obtained using the key with
that key and comparing it to the known ciphertext.  I'll let the RC5
experts confirm or deny this though :-).

Tom Wheeler
tomw at intelligraphics.com

To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list