[cryptography] [Cryptography] RSA equivalent key length/strength

Shawn Wilson ag4ve.us at gmail.com
Sun Sep 22 19:07:10 EDT 2013

"James A. Donald" <Jamesd at echeque.com> wrote:
>On 2013-09-22 23:01, Peter Gutmann wrote:
>> You're assuming that someone got passed a suitcase full of cash and
>that was
>> it.  Far more likely that RSA got a $10M contract for some government
>work and
>> at some point that included a request to make the ECDRBG the default
>> <insert plausible-sounding reason here>.  All quite above board,
>> terribly suspicious to raise eyebrows.
>Possibly, but security agencies do tend to use the suitcase full of
>gambit, not to mention the "we know where your children live" gambit.  

Do we have any proof of this? Is there any record of how we did business with Crypto-AG? 

>This, however, because done in secret, tends to be even more wasteful 
>and expensive that the supposedly above ground government contract.

Well yes, windows with noise and radiation deflection or refraction and blast resistant probably cost more than those in your dining room. 

Also, we read this (and most of us are involved with this in some capacity for a living). This makes us spend a bit more time (and possibly money) securing our data. For example, the company I work for does lots of pentests - do you think we use an Active Directory domain? So if I'm working at a place that figures how to listen to LTE, do you think I'm going to let my employees use LTE? How much does it cost to get end to end encryption on a modern phone? How many models and chips do I reverse engineer? How many Angry Birds APKs do I do dynamic (and maybe static) analysis on? The report said they obtained information through hacking. So how much does their ingress and egress monitoring cost? What types of monitoring have they developed for mobile devices (bet someone like Mandiant has a killer contract for this)? 

You see $250 and wonder how you can spend that much. I see that and think "for that price can I have another". 

>For a security agency to order a pizza costs ten million dollars.

Again some proof would be nice. I've heard there is (or was) a BestBuy in the Pentagon that has standard prices on items. I'll bet that store is highly subsidized (scanning people and packages, shielding, etc) but I'd doubt the store sees much (any?) more profit above their other stores. 

>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list