Couldn’t you run a massive brute-force decryption attack in Amazon’s cloud and have it only cost you about $500?

Something just occurred to me. Given the massive cost efficiencies of Amazon’s cloud computing service, doesn’t that mean that the cost of brute-force decryption has also just fallen to 1 penny on the dollar compared to a year ago. Has anybody else been talking about this?

(2) Comments

  1. Avatar

    The NYTimes did some on-demand super computer stuff with EC2/S3: http://open.blogs.nytimes.com/2007/11/01/self-service-prorated-super-computing-fun/

    Just some thoughts. Brute force requires massive parallel processing, to test as many keys as possible as fast as possible.

    The smallest instance on EC2 costs about $70.00/mo to keep on full time. That is a fairly lower powered machine. If you were say to run 1000 of these that’ll cost you $700,000/mo.

    A much cheaper alternative would be get a bunch of PS3s, nVidia GPUs, etc, and create your own custom cracking cluster of cell processors and GPUs. Take a look at the folding@home status:

    http://fah-web.stanford.edu/cgi-bin/main.py?qtype=osstats

    Using PS3s (runs Linux) or a dozen desktop loaded up with nVidia graphics cards, will probably net you 10x the cracking power at a fraction of the cost of EC2 🙂

    *whew*

  2. Avatar

    Yes and no.

    Cost isn’t the primary problem that needs to be solved when it comes to brute force attacks. The core problem is simply the magnitude of attempts that are required to guarantee success, and the computational time required for each attempt. Most people simply can’t comprehend the numbers involved.

    Take a look at distributed.net’s statistics on the RC5-64 challenge: a brute force attack against a 64-bit key (relatively small by today’s standards) took over 4 years to complete. Why so long? Because it had to search 18,446,744,073,709,552,000 possible keys; the distributed brute force attack (run in a similar fashion to folding@home) had to test 15,268,315,356,922,380,000 keys before it found the right key. On average, the network was testing 102,385,059,633 keys every second.

    That’s not to say you couldn’t do it with Amazon, but I doubt it would be “cheap”, unless you’re judging the cost versus that of traditional attacks that required you to buy all the hardware.

    But, as pointed out above, there are much cheaper alternatives. I would even go so far as to suggest that the best/cheapest way to achieve the goal would be not Amazon’s EC2, but rather a distributed network of machines donated willingly (as in distributed.net) or unwillingly (via malware) by users to perform the attack in their spare cycles.

    One might even postulate that, given the increasing prevalence of botnets, such a network may already exist.

Comments are closed.