[110317] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Jan 2 17:46:04 2009
Date: Fri, 2 Jan 2009 17:45:56 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Deepak Jain <deepak@ai.net>
In-Reply-To: <D338D1613B32624285BB321A5CF3DB250C8BAEFE61@ginga.ai.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Fri, 2 Jan 2009 16:13:45 -0500
Deepak Jain <deepak@ai.net> wrote:
> > If done properly, that's actually an easier task: you build the
> > update key into the browser. When it pulls in an update, it
> > verifies that it was signed with the proper key.
> >
>
> If you build it into the browser, how do you revoke it when someone
> throws 2000 PS3s to crack it, or your hash, or your [pick algorithmic
> mistake here].
>
If you use bad crypto, you lose no matter what. If you use good
crypto, 2,000,000,000 PS3s won't do the job.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
