How long does it take to crack SSL?
I was talking to some people a while back about how long it would take to crack SSL and whether or not the governmeng could realistically crack any consumer grade secure communication it wanted to in real time.
In 1995, Hal issued an SSL challenge to see if people could crack a single SSL conversation. Using computers from 1995, it took 32 hours.
SSL challenge virtual press conference
Did you think you'd be able to break it so soon ? Or did it take longer than you estimated ?
The technique I used doesn't leave much room for surprise. I knew I would get the result in at most 15 days, with an expected average of 8 days. The actual time was the same as the expected time because the result was almost exactly in the middle of the search space. It could have taken only a few minutes (if I was extremely lucky) or the whole 15 days (if I was unlucky). The only way I would not have gotten a result within 15 days was if my program had a bug.
I think it's important to note that some of these (actually) 112 machines are quite old, and I could have done the job just as fast with 30 of the fastest workstation that we have (a DEC alphastation, which cost us little more that $10000). According to some letters I got, a MasPar machine would be about twice as fast. You would get roughly the same speed as I did on a network of 40 to 50 high-end Pentium(R) PCs.
Info on the CRACKing of Hal's second challenge
After 114456 seconds (31h 47m 36s) at 01:48:04 on 26th August 1995, Pete Wenzel reported that he had found the key - 9636340d46.
Pentiums hit a max speed of around 90Mhz in 1995 (according to cpu-museum.de). The current crop of computers is around 30 times faster. Top500.org's current list of the Top500 computers says that the current top computer can reach 70.72 teraflops of processing power. A P1 133Mhz is about 23 megaflops (FLOPS benchmark in Forth).
Okay, so let's say take 40 P1 133's at 23 megaflops each, that's 920 megaflops.
70.72 teraflops / 920 megaflops = 76,869.57
70,720,000,000,000 / 920,000,000 = 76,869.57
The world's fastest computer is 76,869.57 (approx) times faster than a cluster of computers that could crack SSL in on average 8 days or less.
8 days * 24 hours * 60 minutes = 11,520 minutes.
11,520 / 76,869.57 = 6.67 minutes
That's 1 SSL connection cracked every 7 minutes.
We've gone from 8 days on average to less than 8 minutes.
Okay, that's supercomputers (which the government may very well own), but what about home computers? After all, the original test was conducted on home computers.
It took a cluster of 40-50 P 90's 8 days to crack SSL. A top of the line home computer is about 30 times faster than a P90, so it would take you a little over 8 days to crack SSL on your home computer, let's say 2 weeks. 14 home computers networked together could crack SSL in a single day.
I admit that this article is a little crackpot and uses a bunch of pseudo-math, but I think it makes the point fairly well.
A timely article on Slashdot called Fun with Prime Numbers emphasizes how easy it is to find primes (which are used in public key encryption).
Schneier on Security: SHA-1 Broken
page first created on Tuesday, November 09, 2004
© Mark Wieczorek