Bugtraq mailing list archives

Re: Non-PK encryption not vulnerable via low key length?!

From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Thu, 16 Mar 1995 07:09:24 -0500

Correct me if I am wrong - RC2 and RC4 are not public key
cyrptosystems, and hence are not "prone" to the problems with low
moduli.

You are wrong.


They _are_ public-key cryptosystems??

If the key is only 128-bit, that's a much smaller keyspace to
brute-force attack than a 1024-bit key.


True as far as it goes...but I think you're missing the point.

If you're trying to attack a 1024-bit public RSA key, this is on a par
with the difficulty of factoring a 1024-bit number.  This is much
easier than brute-forcing a 1024-bit secret key - I don't know how hard
factoring is nowadays, but I'm quite certain it's a hell of a lot
easier than just making random guesses.  A good private-key cipher
presents essentially that problem: guessing a private value with no
information to go on.  Thus, if DES were ideal in this respect[%],
there would be no better way to crack it than trying one 56-bit key
after another until you find the one that produces sense rather than
nonsense upon decryption of the message[$].  Expected work: 2^55
attempts.  If we assume RC4 is ideal[#], the expected work to crack it
in this use (ie, 128-bit key) is 2^127 encryptions.

[%] DES isn't ideal for various reasons.  It is known to have some weak
    keys, there is an attack known that (if memory serves) allows
    breaking it with 2^47 known plaintexts, and another that works with
    2^47 chosen plaintexts.  Still, 2^47 is a lot of work.

[$] Telling sense from nonsense is another problem entirely, and is one
    reason why it's always a good idea to compress your data before
    encrypting it.

[#] I have no idea how close to true this is, and given RC4's recency
    in the public world, I doubt anyone else who can talk does either.

Key size comparisons between cryptosystems should be taken with a large
handful of salt, at least until you've looked carefully at what
breaking those keys entails.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

Re: Non-PK encryption not vulnerable via low key length?! der Mouse (Mar 16)
- <Possible follow-ups>
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 16)
  - Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Stan Barber (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! smb () research att com (Mar 17)
  - Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
    - Re: Non-PK encryption not vulnerable via low key length?! sameer (Mar 25)
    - Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Jake Hill (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
  - GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)

(Thread continues...)