Speaking of encryption, I noticed this gem on Golden Tee's website today.

128 BYTES! As I'm sure you all know, one byte is equal to eight bits (they meant to write bit - obviously).

I really don't want to do the math from yesterdays post to figure out how long it would take to crack 128 byte encryption. Suffice it to say that the universe would be a cold dead blob by the time it happened.

I stumbled across a picture of one of those keypads you find on some cars such as Fords and it got me thinking about how easy their code would be to break compared to SSL encryption - and why we don't seem to have a problem with that. You also sometimes see these keypads on the front doors to homes and garage doors.

Typically, these keypads have five buttons labled 1/2 3/4 5/6 7/8 and 9/0. I suppose they're labeled as such to trick us into thinking there are ten possible numbers you could press, thus doubling the possible number of permutations - but obviously this isn't the case.

Given a five digit code, with five possible characters for each digit, we see that there are only 5⁵ or 3,125 possible permutations. In a brute force attack, the expected number of trials before the correct key is found is equal to half the size of the key space - in this case 1,563.

Figuring you can key in about one code a second, it should take you about 20 minutes to break the code using a brute force attack. (and no, most models don't have a timeout - nor do they otherwise penalize incorrect codes)

Compare this to the AES-128 standard we use as a key for credit card transactions on the internet. The key uses 128 on off bits for the key meaning there are 2¹²⁸ or 340 undecillion or 340,282,366,920,938,463,463,374,607,431,768,211,456 possible combinations! Using a brute force attack, one could assume they would break the code in 2¹²⁷ or about 170 undecillion tries.

So why do put so much more effort into securing our online CC transactions than we do our physical belongings? Especially considering that a car or a home is a very likely place to steal physical credit cards! (Which are probably far more valuable to a petty thief - I mean, what would you do if you had just a credit card number and security code? You couldn't have anything you bought shipped to your home)

I suppose one explanation is that once a transmission of an encrypted CC number is intercepted, a hacker could take as much time as he likes cracking it in the comfort of his parents' basement. Even then, with a powerful computer program running 1,000 combinations a second, it would take on average 539,156,392,000,000,000,000,000,000,000 years to crack the code. Heh.

I think it's more likely that people are just scared of the unknown. A lot of people probably don't have a good understanding of the risk involved. And fear is good business (Credit monitoring companies, Life Lock - I'm looking at you Todd Davis)