Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.security.pgp.discuss > #76
| From | Jeffrey Goldberg <nobody@goldmark.org> |
|---|---|
| Newsgroups | comp.security.pgp.discuss |
| Subject | Re: TAC1441 Hardware Accelerator |
| Date | 2011-07-10 01:44 -0500 |
| Message-ID | <97t03aF3beU1@mid.individual.net> (permalink) |
| References | <p2ci17500i2j7oojcupvv7ftkc429rr52l@4ax.com> |
On 11-07-09 11:56 PM, Unknown wrote: > > > How strong is PGP against this? > > TAC1441 Hardware Accelerator > > http://www.digitalintelligence.com/products/tacc_hardware_accelerator/ > > Rack-A-TACC > http://www.digitalintelligence.com/products/rack-a-tacc/ Well, if we trust their advertising, they provide the answer(s) to your question right on the pages that you linked to. Look at the charts for their (claimed) passwords per second against different systems. Because they have different rates for different things you can do with PGP, you really have to look at the charts. But for decrypting your private key, it looks like for 20,000 USD they can work at about 1,000 passwords per second, which isn't much at all. But for PGP SDA they get up to about 100,000 which still shouldn't worry anyone with a well chosen pass phrase (for the time being). But of course, you have to decide how long someone would dedicate a $20,000 bit of hardware to your password. Do you want it to hold up for days, weeks, or years of dedicated attack? I've recently written a post (for something other than PGP, but it applies here) about creating a good pass phrase. It is a long post, mostly explaining what is wrong with common password recommendations, and eventually advising a combination of diceware with with something of your own: http://blog.agilebits.com/2011/06/toward-better-master-passwords/ A plain (unaugmented) diceware password of five words (assuming the attacker knew you used diceware) would resist one of those $20,000 units for ... [doing some math now] ... 4.5 million years. (That is a more optimistic result than I expected, so you should check the math yourself). Assumptions are Possible five word diceware passwords: 6^25 = 28430288029929701376 (which is about 64.6 bits of entropy) Passwords tested per second: 100,000 (from the advertising brochure you listed). Calculation: Seconds to exhaust password space: 284302880299297 (password space / 100,000) Average seconds to find: 142151440149648 (previous number /2) Seconds per year: 31536000 (60 * 60 * 24 * 365) Average years to find: 4507592 (4.5 million) Assuming that password cracking proceeds linearly with devices (seems safe), then if instead of throwing 20K USD of gear at your specific password, they were to throw $1,000,000 dollars at it, that would reduce the crack time to 90,000 years. Anyway, y'all can do the math on your favorite scenarios. Just remember that the entropy of a human created pass phrase is not so much a function of how long it is and whether it has digits and symbols in it, but instead on the number of possibilities that the system that you used to create the pass phrase could have produced. (See my blog post for details). Cheers, -j -- Jeffrey Goldberg http://goldmark.org/jeff/ I rarely read HTML or poorly quoting posts Reply-To address is valid
Back to comp.security.pgp.discuss | Previous | Next — Previous in thread | Find similar | Unroll thread
TAC1441 Hardware Accelerator Unknown <Unknown@Unknown.com> - 2011-07-09 21:56 -0700 Re: TAC1441 Hardware Accelerator Jeffrey Goldberg <nobody@goldmark.org> - 2011-07-10 01:44 -0500
csiph-web