[Interest] TLS/SSL XML encryption security

Roland Hughes roland at logikalsolutions.com
Tue Oct 8 02:11:26 CEST 2019

On 10/7/19 6:21 PM, Thiago Macieira wrote:
> On segunda-feira, 7 de outubro de 2019 05:31:17 PDT Roland Hughes wrote:
>> Let us not forget we are at the end of the x86 era when it comes to what
>> evil-doers will use to generate a fingerprint database, or brute force
>> crack.
>> https://www.technologyreview.com/s/613596/how-a-quantum-computer-could-break
>> -2048-bit-rsa-encryption-in-8-hours/
>> [Now Gidney and Ekerå have shown how a quantum computer could do the
>> calculation with just 20 million qubits. Indeed, they show that such a
>> device would take just eight hours to complete the calculation.  “[As a
>> result], the worst case estimate of how many qubits will be needed to
>> factor 2048 bit RSA integers has dropped nearly two orders of
>> magnitude,” they say.]
> Oh, only 20 million qubits? That's good to know, because current quantum
> computers have something like 100 or 200.
> Not 100 million qubits, 100 qubits.

Kids these days!

When I started in IT a Gigabyte wasn't even conceivable. The term 
Terabyte hadn't even been created so it was beyond science fiction.

> Yes, I know that Shor's Theorem says it could solve the prime multiplication
> that is in the core of RSA and many other public key encryption mechanisms in
> O(1) time. But no one has ever proven the Theorem and put it into practice,
> yet.
> And there are all the quantum-resistant algorithms, some of which are already
> deployed (like AES), some of which are in development.
A bullet resistant vest is resistant until someone builds a better bullet.
>> While there are those here claiming 128-bit and 256-bit are
>> "uncrackable" people with money long since moved to 2048-bit because 128
>> and 256 are the new 64-bit encryption levels. They know that an entity
>> wanting to decrypt their sniffed packets doesn't need the complete
>> database, just a few fingerprints which work relatively reliably. They
>> won't get everything, but they might get the critical stuff.
> You're confusing algorithms. RSA asymmetric encryption today requires more
> than 1024 bits, 2048 recommended, 4096 even better. AES is symmetric
> encryption and requires nowhere near that much, 128 is sufficient, 256 is very
> good. Elliptic curves are also asymmetric and require much less than 1024
> bits.
No, I wasn't, but sorry for causing confusion. I didn't mean OpenSource 
or published standard when I said "people with money." Just skip that.
>> Haven't you noticed a pattern over the decades?
>> X-bit encryption would take a "super computer" (never actually
>> identifying which one) N-years running flat out to crack.
>> A few years later
>> Y-bit encryption would take a "super computer" (never actually
>> identifying which one) N-years running flat out to crack (without any
>> mention of why they were/are wrong about X-bit).
>> Oh! You wanted "Why?" Sorry.
> Again, you're deliberately misleading people here. The supercomputers*are*  
> identified. And the fact that technology progresses is no surprise. It's
> *expected*  and accounted for. That's why the number of bits in most ciphers is
> increasing, that's why older ciphers are completely dropped, that's why we're
> getting new ones and new versions of TLS.
You know. I have *never* heard them identified. The Y-bit encryption is 
what I hear each and every time someone spouts off about how secure 
something is. They never identify the machine and they never under any 
circumstances admit that the very first combination tried at "random" 
just might succeed. The calculation/estimate *always* assumes it is the 
last possible entry which will decrypt the packet and that such a feat 
will *always* be the case.

Roland Hughes, President
Logikal Solutions


More information about the Interest mailing list