>That is true: it cost US$ 250,000 and used 1,856 custom chips to crack one
DES key in a little more than two days.
This is grossly misleading. It is like saying “It cost 10,000,000 USD to
build your CPU”, conflating the cost of the equipment (semiconductor plant)
with a single unit of output (the CPU). 250,000 USD is the cost to build the
equipment. The cost to crack a key is much cheaper and is basically only the
cost of electricity and maintenance plus a tiny fraction of the cost of the
equipment (it is amortized over many runs).
>At one trillion guesses per second, the NSA needs 6118 years to crack the
password
Your emphasis on “billions” and “trillions” to make the wimpy entropy
of your password generation scheme appear impressive merely adds to the
humorist value of your message.
Your “trillion guesses per second” is an arbitrary number. You are
deluding yourself you think that any serious attacker will be so limited.
This is roughly the computing power of one Bitcoin miner with a cost of
around 100 USD. Of course, Bitcoin miners are highly specialized and can not
be used for password cracking. This is meant as an illustration of the cheap
cost of computing equipment. And again, computing equipment can be reused, so
the cost per run is even lower. You could argue than Bitcoin miners are cheap
because there are economies of scale, but so there will be in any serious
brute-force attack.
If the password hash is iterated, as most are, this adds just a couple orders
of magnitude to the cost.
>Do you realize that means the effort (basically the time and energy) to
crack the password by brute force is multiplied by 2^7.6 = 194?
It would, if we still were in 1998, but we are not. We are not stuck with
20-years-old technology. Today's digital electronics are much faster, cheaper
and energy-efficient.
I am sorry if the number 194 sounds big in your mind. Factors like this are
routinely ignored in cryptographic analysis. As a rough rule of thumb,
computing power to cost ratio doubles every 1.5 years (this is not Moore law,
but it is related). 19 years is thus an increase by a factor of
2^12.7≈6500. Your factor of 2^7.6 pales in comparison.
Conclusion: In 2017, your suggested scheme is more broken than DES in 1998.
>Here is an excerpt from 'man urandom', which makes my point:
No, it does not. You tried to change the argument without anybody noticing
but your attempt failed. I quote you with emphasis added:
>Notice also that my solution uses /dev/random, not /dev/urandom.
/dev/urandom providing only pseudo-randomness, there is a risk (although it
should be OK) of a bug
Your original point was about bugs. The man page talks about cryptographic
attacks.
Regarding the risk of cryptographicaly attacks on the CSPRNG, this only
affects the conditional entropy of subsequent bytes when attacker knows part
of the past output of /dev/urandom, which is not the case here. Moreover, the
fact that the entropy pool is continuously mixed with new entropy makes any
attack on the CSPRNG algorithm much more difficult.
Also, a cryptographic attack can always compromise the security of a
practical cryptographic system, so saying “Don't use this because it is
vulnerable to cryptographic attacks” is equivalent to saying “Do not use
any modern cryptography”.
If you are so afraid of cryptographic breaks, free feel to use the one-time
pad instead of GNU PG to encrypt your data.
-----
Enough of giving you free lessons about the cost of brute force attacks. I am
sharing my knowledge altruistically, but I gain nothing, and I have other
things to do, so I withdraw from this discussion. If you want to learn about
brute force attacks, a good starting point would be the paper
“Understanding brute force” by D. J. Bernstein.