Cracking keys on the cheap in the cloud

There is no absolute security for the cryptographic techniques in use today. The best they can do is elevate the financial or time constraints for cracking passwords and keys to such a level that it's no longer worth doing.

Cloud techniques are, however, reducing these costs. The use of multiple high-power virtual computers significantly reduces the time required to crack passwords and keys. Staff from security company Electric Alchemy have now demonstrated this using a PGP zip archive as an example.

Small, simple passwords can be cheaply cracked in the cloud
Source: news.electricalchemy.net They ran a distributed brute force attack on the file using Amazon's EC2 web service. The software (EDPR) for the attack came from Russian company ElcomSoft. On a dual Core PC running Windows 7, determining the password by trial and error would have taken 2,100 days. 10 virtual computers running EDPR simultaneously, reduced this to just 122 days. One hour of EC2 processing time in this case costs $0.30 per instance, meaning that it cost just under $9,000 to crack the key. Since, according to Electric Alchemy, EDPR scales in a more or less linear fashion, using 100 instances, the same result could be achieved for the same price in just 12 days.

A further blog entry from the company notes that cracking long and complex keys is likely to remain too expensive for the foreseeable future. They calculate that cracking a 9 character key which utilises the full range of ASCII characters would cost at least $10 million, rising to 8 billion for a 12 character key. If the password is limited to just letters and numbers, however, the cost drops considerably – a nine character key can be cracked for less than $2,000.

(djwm)