[rc5] yet more rc5-64 vs Something Else

Steve Trottier STROTTIER at novell.com
Wed Oct 1 23:10:53 EDT 1997

> > As far as I'm concerned 64-bit IS enough for what I use encryption for. 
> > don't think any of us can dictate to anyone else how they should
> > the results of our effort.  Whether or not we try the RC5-64bit contest
> > won't) we have shown that it takes months to find a single key for a
> > tranmission encrypted with RC5-56.  I don't know about you, but the most
> > sensitive thing I will probably ever protect with encryption is my
> > card number and I only have a $10,000 limit so I doubt it would be worth
> > for anyone to spend several times that for the effort needed to find my
> > 56-bit key, let alone my 64-bit key.  On the other hand, the prize for
> > contest is only $10,000...so I could be wrong.
> > 
> > I think we've given enough data to whoever wants to know about how much
> > effort is required to find a 56-bit key that they could extrapolate to
> > figure out what would be required to find a 64-bit key.  We wouldn't
> > be providing any new or useful information, except possibly how easy or
> > it is to recruit additional computing power.
> > 
> This is with free clients on IDLE cpus running regular operating
> systems.  For _very_ little money and a little research, a company
> or government group could crack 64 bit in a few weeks.

Yes, I know, but my point is that it is all relative to the data that you
are trying to protect.  I agree that if in my role as a Novell employee I
had to transmit some valuable Novell trade secrets to a coworker across the
internet I would want to use strong encryption...certainly more than 64-bit.

However, if I am ordering flowers from www.1800flowers.com and I see that
they use 64-bit encryption to protect the transaction, I wouldn't hesitate
to order online.  The government isn't interested in my credit card number.
Joe Hacker might be, but he would likely target some transaction that wasn't
protected with a 64-bit encryption key before he would target me.  To him,
seeing that it would take the distributed.net effort 60 years at their
current rate to find a 64-bit key would be a deterent.

So, you see, we aren't sending one clear message that 56 or 64 bit
encryption isn't strong enough.  All we're doing is providing hard data that
others can look at and come up with their own conclusions about how much
encryption they need.

That's not to say that I don't want the US government to relax export
restrictions on encryption.  I think the restrictions are rediculous, but
that's a whole other issue.

Steve Trottier <strottier at novell.com>
PGP encrypted email welcome. Get my public key (5.0) at:
To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list