On Mon, 25 Mar 2002, Deepak Jain wrote:
Exactly. Why think $2B is some insurmountable barrier when there are far
$2B isn't an insurmountable barrier. It is well within most intelligence agencies' budgets, and that price will only get lower.
At present, if you have the sophistication to break an "interesting" key, you could have the sophistication to not be detected MITM. The difference between inserting/replacing a valid flow, and simply listening [unless the attacker is stupid] isn't that big a difference from a detection [of the attack] point of view.
Passive attacks are, by definition, undetectable. Active attacks are not; some are simply more detectable than others.
No one is going to spend millions of dollars to get at most the same millions of dollars of back in credit card fraud [good money after bad]. Anyone who is relying on these commercial architectures to secure gov't secrets or secrets worthy of an intelligence outfit's attention is a moron [for numerous reasons]. If all you are doing is trying to secure machines against script kiddies, starting huge public debates and initiatives and the like seems like overkill to me. [investment is greater than reward]. YMMV.
Remember that there is no international law preventing a country's intelligence agency from committing industrial espionage for its own companies (and in fact this is common practice). Also, remember that the US Military has considered, and may very well be using, IPsec in the field to coordinate military maneuvers. I think you're really missing the main point with that $2 billion figure. The "big surprise" is that we might be able to put a price-point on factoring 1024 bit keys -- previously, they were thought to be "secure forever". A machine that costs $2 billion today, according to Moore's law, will cost about $200,000 20 years from now. Not counting inflation. That will be well within many people's budgets.