Posted by: Anonymous Coward
on August 12, 2004 11:10 AM

I think you (as many other people) are confused about the meaning of "bits" in security. To say that 40 bits of security is "trivially breakable" is as incorrect as saying that "128 bits of security is virtually unbreakable": this is valid only in the context of symetric ciphers attacked by brute force (for example, a 128 bits RSA public key is trivially breakable), and you can not reduce any measure to a number of bits.

To say that 40 bits (for a symetric cipher) is trivially breakable means that it is computationaly possible to try all possible keys (or rather, in average, half of them) in a "reasonable" time. With port-knocking, each attempt is done over the network with a much, much higher latency than having your CPU try a key -- how long would it take to test each 2^39 (in average) combination over a network ? The exact number is left as an exercice to the reader depending on his assumptions, but it is definitively not what I would call "trivial" (assuming 1000 attempts per second, I get an average of 17 years).

This, of course, does not mean that the rest of your article is bad.

## Measuring security in bits...

Posted by: Anonymous Coward on August 12, 2004 11:10 AMTo say that 40 bits (for a symetric cipher) is trivially breakable means that it is computationaly possible to try all possible keys (or rather, in average, half of them) in a "reasonable" time. With port-knocking, each attempt is done over the network with a much, much higher latency than having your CPU try a key -- how long would it take to test each 2^39 (in average) combination over a network ? The exact number is left as an exercice to the reader depending on his assumptions, but it is definitively not what I would call "trivial" (assuming 1000 attempts per second, I get an average of 17 years).

This, of course, does not mean that the rest of your article is bad.

Zorglub

#