Does cloud computing really affect the security of encryption?

After the report last week of a German hacker using cloud computing to do a trivial dictionary attack against short passwords, there's been some talk about how the cheap computing power that cloud computing can provide will dramatically change the balance of power between hackers and people using encryption to protect sensitive data.

This isn't even close to being true. To see why, let's look at how cheap cloud computing is and see how much it would actually cost to use it to recover a single 128-bit AES key.

Using Amazon's EC2 service, you can get unreserved computing time for about $0.12 per hour per CPU. Let's assume that that's what hackers will do because they probably won't want to enter into any long-term contracts to do their attacks.

Let's also assume that we can do a single AES-128 encryption in about 160 CPU cycles. That's almost attainable on today's 64-bit processors.

If we have a CPU running at 3 GHz then we might expect to be able to try about 6.75 x 1010 AES keys per hour. If that hour costs $0.12 then that's about $1.48 x 10-13 per key. That's very cheap, but there are lots of 128-bit keys to test. There are 2128 of them, and 2128 is a big number. A very big number.

Testing 2128 keys at $1.48 x 10-13 per key costs a lot – about $50 trillion trillion. You can expect to find the right key after trying about half the possible keys, so you can really only expect to spend only about $25 trillion trillion on this. And that's only to crack a single key! That's not even close to being practical, is it?

(Note that this number is actually so big that we can assume that the computing power gets cheaper by a factor of a trillion or more and we're still left with a number that's immense. We can even reduce it by factors that we rarely use the words for, like quadrillions and quintillions, and cracking an AES-128 key would still cost way too much.)

So cloud computing may be a good way to get a quick boost to your available computing power if it's the sort of thing that you don't use a lot of on a regular basis. But don't expect hackers to be using it to crack encryption keys any time soon.

  • Blog

    Or if you’re really paranoid use AES-192 or -256 :-). However, the bigger issue with cloud-based encryption attacks isn’t that you can break the encryption, as you’ve shown that’s unlikely. Instead, the issue is one of hacking an account that has access to the keys because the cloud, as was shown, enables faster password attacks. Just reinforces the need to keep your keys secure.


  • Luther Martin

    Yes, indeed. Amateurs talk encryption, professionals talk key management.


Leave a Reply

Your email address will not be published. Required fields are marked *