Re: HTTP/2 and Pervasive Monitoring

On 20 August 2014 00:29, Poul-Henning Kamp <> wrote:
> I don't think the algorithm matters, as long as it's not buggy, the
> bruteforcing will be done against the keys used.

Let's go with this and run with it a little.  Assume that you are
using AES-GCM or something like it.  That's 2^64 decryptions to get a
50/50 chance of success.  The constant factor is the speed of the
algorithm and it's key schedule.  If you can do 10Gb/s on a single
machine with Ilari's estimated ~1.7 cGHz and 14cGHz per core, that
means something in the order of 900 machine years to brute force a
single key.  Based on some rough guesses on AWS (ECU to cGHz
conversion) and current prices, that's going to set you back about
USD170K.  It's highly parallel, so don't expect to wait particularly
long.  Big caveat on the numbers, I've fudged a fair bit (on the
pessimistic side).

On the other hand, if you reduced the key size to 32-bit and increased
the enciphering rate by a linear factor (4), that reduces the number
of calculations significantly.  That works out a cost for a brute
force of USD0.0000000001

USD170K might be OK, depending on what you concern yourself with.
Though it makes me think that a move to 256-bit ciphers might need to
come sooner than I expected.  On the other hand, any significant
reduction in key size basically seems to amount to nothing short of an
ineffectual cipher.  Even a 64-bit cipher that increased throughput by
a factor of 16 would be a trivial cost to brute force.

Received on Wednesday, 20 August 2014 17:00:30 UTC