David, David > The simplest attack (``the Exabyte attack'') is to encrypt some > common plaintext block (e.g. "\nlogin: ") under all 2^48 possible > keys, and store the 2^48 ciphertext results on a big Exabyte tape; > then each subsequent link-encryption key can be broken with O(1) > effort. Thanks to the ECB mode, such a common plaintext block > should be easy to find. (With a real chaining mode, these attacks > are not possible under a ciphertext-only assumption, because the > chaining vector serves as a kind of salt.) Even if the ciper were a one byte char, the resulting data set size would be 281,474 GB big, I have not heard of a 281TB tape drive yet. > A much more practical approach would use Hellman's time-space > tradeoff. There, you'd need only about 2^32 space (e.g. $100 at > Fry's for a cheap hard disk), plus you'd need to do a 2^48 precomputation. > After the precomputation, each subsequent link-encryption key > can be broken with about 2^32 trial encryptions. This is 4GB which is doable, but the resultant set of cipertexts would still be ~24GB big, which makes you want to have a really good reason. Although with some dedicated Hardware 281 Trillion combinations could be tried in a few minutes, and it would be broken. regards:jamie
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:02 PDT