[Discuss] KeePassX

[jabr at blu.org (John Abreau)]

Richard Pieri writes:

> If I did my math right, a facility like that can brute-force any 80-bit
key in about 32 hours.

If they want to intercept and decrypt *all* traffic, that means decrypting
more than one key.

I have no idea how much daily encrypted traffic passes through the Internet
on an average day, but just to have a number to play with, the daily logs I
receive show that the  BLU mail server processes approximately 20,000
messages per day.

Let's pretend that each day, there are at least 20,000 email messages
worldwide that are encrypted with randomly-generated session that are
80-bits, and that the NSA wants to decrypt as part of their "capture and
analyze all traffic" plan.

If a single 80-bit key takes up to 32 hours to brute-force, then 20,000
distinct 80-bit keys per day would take 32 x 20,000 hours == 640,000 hours
== 26,667 days == 73 years.

If there were 20,000 separate 8-bit keys per day for the NSA to crack, and
it would take up to 73 years to crack a days' worth of keys at a cost of
$300 million for the hardware, by your math.If there are significantly more
than 20,000 such keys per day, then the time and cost will be much higher.

 If more people start routinely encrypting all their email, not just the
messages containing sensitive information, then the number of keys will
grow significantly.

Weaker encryption could be cracked more quickly and at a lower cost, but
even weak encryption costs them more to process than plain text.

If it takes them more than a day to decrypt a day's worth of traffic, then
they can't keep up with all traffic. In principle, sure, they can throw
more money at the problem, but the money they can spend on decryption is
limited by the amount of tax revenue they receive to pay for it. However
much funding they receive, it's still a finite sum.


On Tue, Aug 13, 2013 at 1:54 PM, Richard Pieri <richard.pieri at gmail.com>wrote:

> Daniel Barrett wrote:
>
>> Just wondering how safe a file is when encrypted with a 4096-bit GPG key.
>>
>
> GPG doesn't work that way.
>
> Your 4096-bit asymmetric key is either RSA or DH, both of which are VERY
> slow algorithms, too slow for general use.
>
> When you encrypt a message, the encryption engine generates a random
> session key. This session key is used to encrypt the message using a
> symmetric cipher (GnuPG uses CAST-128 by default). The session key is then
> encrypted with the public half of your recipient's asymmetric key pair and
> attached to the message.
>
> When the recipient decrypts the message, the session key is decrypted with
> the private half of the asymmetric key pair. The recovered session key is
> used to decrypt the message.
>
> SSL and SSH both work roughly the same way.
>
> --
> Rich P.
>
> ______________________________**_________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/**listinfo/discuss<http://lists.blu.org/mailman/listinfo/discuss>
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99