I am sorry to say. But it is bullshit wot you are saying..... I am quite sure that a 256 bit encryption can cracked (brute force way) by the big players (US, MS, etc) within a reasonable time say 2 or 3 months!
And yes you can buy computers or clusters for 100.000 $. And they are 100 more likely 1000 times as fast as a PII 266. But if you take a look at the distributed.net project. They are working for the past 4 years to hack (bruteforce) the rc5-64. The distributed.net combined power is 90.427 MKeys/sec (that are 17.000 Athlon 1400 PC). This is an average the current power is 196.231 MKeys/sec (36.720 Atlon 1400). And keep in mind that distributed.net project is a bruteforce attempt on 64 Bit encryption! So is a 256 bit encryption safe? Yes. and No. Yes: it is quite safe for a bruteforce attempt, it will take about 30 years for distributed.net. No: Most "secure" encryption methods have sort cuts to hack the code, atleast for DES, Blowfish and several other popular encryption methods. So what should we use? Banking companies demand a 128 bit encryption (in the Netherlands, other countries don't know). For my CMS I am satisfied with an 40 bit encryption. It is a matter of a risk/cost evalution. How much risk is there and if an anomaly occurs how much does it cost me? My advise always use atleast 40(128 is better :) ) bit SSL3 encryption, because SSL2 and lower have some bugs which make it possible to steal a session between users and server. Jerry -----Original Message----- From: TD - Sales International Holland B.V. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 7:05 PM To: Jon Farmer; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] PHP / SSL On Thursday 20 December 2001 15:37, Jon Farmer stuffed this into my mailbox: 256 bit encryption should be crackable by not too much more people than Microsoft, the US government, China and perhaps some others with shitloads of money that CAN dissapear (within reasonable time). Else there will be questions. Personally I found it hard to believe as well. But I'm told that you can have the same power for like $ 100.000,- by buying the best price/performance now. Make no mistake, those machines only need a mainboard, cpu, cooler, powersupply and a network card. Even better, we're thinking about x86 hardware (you and me) be appearantly there is hardware on the market that was specifically crafted to decrypt stuff brute force. One of those would probably match like a 100 or maybe even a 1000 of the P-II 266 distributed.net has. Now if you're sure you can make $ 200.000,- by the credit card numbers/other info you gain from cracking it, it is already worth the effort. Btw, an Athlon 1400 does 5,3 MKeys per SECOND (RC5-64)!! and those are damn cheap....... > > I urge you strongly to advise against that. Although it might be possible > > to > > > downgrade your encryption to 40bit I'd like to make you aware of the fact > > that DES which is 56 bit encryption if I'm not mistaken was cracked > > several > > > times by brute force in UNDER 22 hours by the distributed.net people > > (www.distributed.net). Therefore I would NOT consider 40 bits encryption > > safe > > > and I feel obligated to make you aware of that. You are warned now :-) so > > do > > > as you please. > > Erm, yeah true.... but by their own admission they used the equivalant of > 160000 PII 266Mhz machines to accomplish this. If you think someone is > going to want your data and has those kinda resources available then yeah > go for higher. However if thats your worry where are you going to stop in > the length of your key? If your that paranoid then it shouldn't be using > public networks in the first place!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
