On 01/15/11 15:14, Jim Gribbin wrote:
> It seems to me if one of these GPU cluster thingies can be used to crack
> this, it can be used to crack other things as well. A PGP encrypted hard
> disk for instance.
>
> Maybe someone here can explain why I have no reason for concern.
>
Um... maybe because a PGP encrypted hard disk is a bit different from
cracking WPA-PSK. Quotes from the article:
"A German white-hat hacker named Thomas Roth claims he has found a way
to use EC2 and some custom software to crack the password of
WPA-PSK-protected networks in around 20 minutes. With some tweaks to his
software -- which tests 400,000 passwords per second using the EC2
compute power -- Roth said he has could reduce that cracking time to six
minutes, about $1.68 worth of time on Amazon EC2. (Amazon charges 28
cents per minute to use its services.). . . .
"Roth attributes the success of his brute-force technique to a weakness
in SHA-1. In an earlier blog posting, he wrote, "SHA-1 was never made to
store passwords. SHA-1 is a hash algorithm, it was made for verifying
data. It was made to be as fast and as collision free as possible, and
that's the problem when using it for storing passwords: It's too fast!
... Instead of hash algorithms, one should use key-derivation functions
like PBKDF2 or scrypt. Some of these functions hash passwords some
thousand times and make brute forcing a lot harder."
Brute-forcing /secure/ encryption setups is still pretty much
practically impossible, even if you /own/ your own dedicated supercomputer.
http://en.wikipedia.org/wiki/Brute-force_attack#Theoretical_limits
http://www.lockdown.co.uk/?pg=combi
Now, doubtless having instant access to cluster-level computing puts
/insecure/ setups at greater risk.
-- frigidcode.com theologia.indicium.us --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Sat Jan 15 18:47:16 2011
This archive was generated by hypermail 2.1.8 : Sat Jan 15 2011 - 18:47:16 AKST