Quote:Original post by drakostar

Per "Applied Cryptography", spending $10 trillion in 1995 on custom hardware would brute force your 128-bit key in 10^11 years. Even if we wildly overestimate the hardware progress in the last 15 years (say 1000x faster and 1000x cheaper)

Darn the inflation... Today, this kind of computing power can be had for $2000.

Quote:we're still way way off from anybody feasibly cracking a 128-bit key.

Still, some people cracked the 512-bit RSA.

And again, as real world works, the solution was not to improve the key. A much simpler, cheaper and faster solution involved lawyers. Hence, the details are no longer immediately available in above link, but google or other sources might still show some details.

The main question regarding the (brute-force or otherwise) cracking of your public key is whether it's worth it. Mind you, we're talking of passwords for a computer game, not of transaction codes for the federal reserve bank.

Maybe the NSA has a secret super computer the size of Virginia that has its own dedicated cluster of nuclear powerplants. Maybe they can crack your public key in less than 2 months with it. Ok, seriously now, why the hell would they want to do that? Surely, nobody will spend a few hundred million dollars to get access to a few game accounts.
Unless your company name is Blizzard, the maximum value that your encrypted secrets might have realistically is maybe 20,000-50,000 dollars if you are very, very successful. It would be just foolish for an attacker to employ a technique that costs several thousand times more than what the information is worth.

Maybe someone can convince a few million internet users to dedicate computing power to him for cracking purposes (or acquire computing power via some malware)? They might be able to crack your key in a year or two at no cost! (This is nowhere near realistic, but let's just assume it were.)
Right, let them crack it. You can trivially include a new public key with every patch. It's not like generating a secret/public key pair is any difficult or has any noticeable cost.
If you bring out a patch once every other month, one can only wish the best of luck to anyone cracking your keys. By the time they've cracked a key, its value will be exactly zero.

Quote:Original post by Antheus
Still, some people cracked the 512-bit RSA.

Although impressive, it still isn't quite as stunning as it sounds at the first moment.
Looking at some old key size recommendations, the security of 512-bit RSA was once upon a time said to be approximately comparable to that of a 56-bit block cipher (and this estimate does not include about a decade of improvements in factorisation). Nobody would likely protect anything sensitive with a 56-bit symmetric key these days, would they.

If someone manages to present a cracked 2048 or 3072-bit RSA or a 256 bit ECC key, then we may have a reason to worry, but I guess it will be another few years before that happens (hopefully).

I recall that OpenTNL exchanged asymmetric keys (I believe RSA) without a certificate. I believe directly over UDP. After setting up the asymmetric keys, it passed in a symmetric encryption key and then used that for the rest of the session. The explanation was that the symmetric key was "faster." It doesn't protect from man-in-the-middle attacks, but it might suffice for your purposes. Unfortunately I can't seem to load the OpenTNL site anymore, and I don't know if it went defunct.

Quote:Original post by hplus0603
If that's the attack you're trying to protect against, then that solution won't conceptually help any more than the solution that sends the password in plaintext.

I would argue that it makes it does make it significantly more difficult to sniff the password as you'd have to intercept the messages as opposed to just sniffing them. However, you are correct that it would still be relatively trivial for a determined attacker to get the contents, so it shouldn't be used for anything important.

I'm curious, how many of such password attacks are MITM? Is MITM really an important vector to consider?

A non-dedicated hacker (script-kiddie) will not attack the internet infrastructure. They won't have access to an ISP, at least not more than local one where they could sniff out their school buddy's account.

Various money shops are about bottom-line. Performing wide scale MITM to warrant their interest is simply not cost-effective. Plus, it might bring legal hassles on them.

Third option is user looking at traffic via Wireshark or tcpdump. Well - they own the account, they might as well know the password (gotcha: siblings).


So in the end, we end up with keylogger. Without encryption, they could just use pcap and sniff the traffic. With encryption, then need to hook the executable in some way.

There really isn't much of a difference between the two methods - the hardest part is getting such logger installed on target machine, preferably in a cost-effective manner (XSS attack, infection of P2P networks, serial and keygen sites, ....).

So is the effort put into this type of attack really worthwhile? How often is MITM the cause of stolen accounts?

Consider setting up free wireless access points in crowded places like airports and coffee shops. Some less-savvy users will route through you, and you can then either sniff traffic or perform a MITM attack. Also consider if you're using a consumer-level router with a known exploit. DD-WRT, at the very least, had some sort of exploit patched within the last year. I do think its worth worrying about.

The difference between just sending a plain-text password and doing a key-exchange without a certificate authority is that the former just requires sniffing while the latter requires that you actually negotiate the connection as a middle-man. The former is passive while the latter is active.

Edit: Simplified my first two paragraphs.