# In all the talk of super computers there is not...

Allen netsecurity at sound-by-design.com
Thu Sep 6 00:01:45 EDT 2007

```Hi Martin,

I did forget to say that it would be salted so that throws it off
by 2^12

A couple of questions. How did you come up with the ~2.5 bits per
word? Would a longer word have more bits?

Why are you using entropy rather than 2^(keyspace)? With 55
possible characters per each individual character space, a 12
possible combinations without a salt.

Tom Sullivan's Excel spreadsheet for calculating Rainbow Tables,
as corrected by Philippe Oechlin, and based on Philippe's
optimization in the following reference:

http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03

says that it would take 180.341 years to crack with an 86% chance
of success at a hash calculation rate of 100,000,000/sec.

Based on the same speed it would take only 247,465.463 years to
calculate the Rainbow Tables.

So what it boils down to is what is the calculation rate of a
1000 CPU botnet in reality? I chose the 100,000,000 rate sort of
arbitrarily, making assumptions about the hours of real use and
the % of CPU time that would be devoted to creating the Rainbow
Tables.

Even if one were to assume that the real rate would be 1,000
times faster, it still would take nearly 25 years to create the
tables for a twelve character password. If you go to 15
characters then it says it is a mere 4 million years to generate
the tables.

Best,

Allen

mtd wrote:
> Allen wrote:
>> Now take the phrase "Mary had a lamb, and its fleece was as white as
>> snow." Not counting the quotes it is 52 characters and has both upper
>> and lower case characters, spaces and two specials or a total of 55 key
>> space. How big would the rainbow table be to contain that? How long
>> would it take to compute with 1,000 3 GHz CPUs?
>
> You have given english sentence of 12 words as passphrase. If we count
> about 2.5bits of information per word and hash without adding salt, it
> results in about 2^30 combinations. When we divide it over botnet of
> 1000 computers, each must try about 10^6 hashes. I guess you can
> calculate the rest of the anwers.
>

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

```