Assuming the encryption rating is the rating of the encryption programm (there is no "encryption action" as stated on page 256) the hardest encryption would be 6.

Even if you use the house rule that allows only "skill" rolls in an extended test, the treshold of 2*6=12 can be cracked by a 12 year old.
If you have 5 decrypt, 4 response you get to roll 9*5 = 45 dice, that get you 13 hits on average.

If you dont use the house rule, but the optional rule that allows "dice" rolls you only need a combination of response and decrypt that adds up to 7. giving you 7*7=49 dice for an average of 14.33 hits.

If you dont restrict extended tests at all your 1 response 1 decrypt script kiddie is hacking your beefy rating 6 encryption in 18 combat turns which is about one minute.

Did I overlook something?

Which just destroys the character concept of a hacker - back to square one.

In SR3 it took unplayable amounts of time, gear and karma to defeat broadcast encryption, while it took only a Simple action and a halfway decent Program to defeat any matrix encryption.

The method of changing * to ^ while leaving everything else the same would be the least invasive one, too.

Effectiveness of future encryption schemes is not a matter of computational power, it's a matter of concept. Whatever the progression of computational power in the future may be, one thing is for sure: if there exist encryption schemes that are widely believed to be secure (even by Megacorps, governments, etc.), then Joe Average Streetpunk won't have the knowledge of breaking them. That is the very essence of encryption.

But then again, considering it is a game world, one can make of it whatever he wants.

Btw: hello board.

And i doubt that today's encryption schemes will be anywhere near the sota encryption schemes of 2070.

Yes thats why the worlds best encryption algorithm out there today was cracked by hackers in 3 days the second time they tried. The first time was a couple of months. And that was encryption that was supposed to take years upon years to crack. Hackers are far more ingenious at figuring out ways for breaking encryption than you give them credit for.

Nope. It assumes that future encryption is unlikely to be based on the hardness of factoring therefore it doesn't matter if such an algorithm exists.

Got some reference for that? A link?

sure let me go dig it up and I'll edit here and post it.

EDIT: Atm having trouble tracking down the article on it though I'm still working on it. I will give relate what I remember just incase someone else picks up on it and can help me find the thing faster. Essentialy there was a contest(?) to see if the encryption was breakable to prove that it was unbreakable. Bunch of hackers got together, and essentialy created a distributed network using the unused cycles of the CPU's. First time they beat the encryption in a matter of 2-3 months I think, and then they tried a second time enlarging their network and beat it in a matter of days. Anyways back to searching!

Quite possibly. I had thought something like that was done alot more recently. I could very well be wrong here so I apologize if I've got my dates confused and such and am infact completely wrong.

Shadowrun cryptography sounds more like symmetric key cryptography (like DES) than public key crypto (like RSA). Symmetric key crypto doesn't care about prime numbers. Like I said before, eithor you have (near) infinate processing power, a crack for the specific algorithm, or you don't break the crypto.

Assuming current understanding of information theory and physics are accurate, the entire energy output of the sun for it's entire lifespan could not power a turing-type computer constructed within the laws of physics that could brute force a 256 bit symmetric key. (Source: Bruce Schneier "Applied Cryptography") Quantum computers could reduce the computational difficulty to the square root of what a turing machine would need - so a 512 bit key would thwart any quantum computer.

This assumes that the best attack is brute force. If that were true in Shadowrun, decrypt utilities wouldn't exist.

Aka technomancer?

"I was sooo naive!" - or something similar; from a later publication of Bruce Schneier: "Secrets and lies".

It certainly has a bearing on why a SR Decrypt could break SR Encrypt.

Not so much.

In his later books, Schneier downplayed the utility of crypto because the attacks that mattered were never people trying to get the contents of an encrypted file by decrypting it without access to the key. In Shadowrun, the decrypt utility is explicitly trying to decrypt/crack an encrypted file. Not trick the user into giving them an unecrypted copy, not install a trojan horse that steals the key, not ignore the encrypted file entirely because it isn't important, actually break the cryptographic system.

In the real world, with a properly built cryptographic system designed around a properly selected cryptographic algorithim, that sort of attack is impossible. You could get around that if the user was using the crypto system incorrectly - if you want to show that as a game master it has nothing to do with the decrypt utility, it means the user left a decrypted backup copy of the file somewhere by mistake - let the hacker make a matrix perception test to find it.

Based on my line of reasoning, the only way the decrypt utility could work is by exploiting incorrectly designed cryptograhic systems (represented by encrypt utilities with low ratings). Desiging crypto utilities is hard - it's somewhat reasonable that even a rating 6 encrypt utility would have implementation flaws. On the other hand, it's probably not reasonable that those flaws can be easily exploited by a low quality decrypt utility. I stand by the house rule I suggested earlier if you want to fix this: If the rating of your decryption program doesn't exceed the rating of the encryption, the extended test interval is 1 hour and if the encryption rating is double the rating of the decrypt utility, it cannot be cracked.

Edit: Fixed typo.

Yes, well that's for the quality stuff. SR encryption/decryption makes moderately more sense if you assume the [real world] Microsoft Excel 95 team is still assembled and the top provider of main stream encryption code. Further given the complexity of the systems part of Decrypt can be hunting for clues to the keys left in the data garbage (once again up with secrecy ineptitude!). At least that is how i choose to read the handwaving of "advanced sampling, pattern-matching, and brute-force attacks" to help gloss over it.

After all in the real world "properly built" systems don't have security flaws due to buffer overflows.

That's like saying "pure words do not lie".

WEP's algorithms/design is "broken". "Broken" is actually a term of art which means that the algorithm can be decrypted by an unauthorized user (ie, one who does not know the key) in less time than it takes to do an exhaustive search of the keyspace.

Whenever an encryption algorithm becomes known as broken, anyone truly concerned about security will cease to use it. There are plenty of other algorithms that you can move to. Any algorithm that can be defeated by sampling of encrypted data (in less time than exhaustive search of keyspace) is broken, and should not be used. Yes, this includes WEP, which is why we now have something called WPA which users are encouraged to use instead.

WEP is now considered to be rather like the deadbolt you put on your front door -- it's only good for keeping out people who are not really determined to get in.

If you want a good reason for encryption to be breakable in the Shadowrun world, think about who is most likely to provide encryption algorithms for sale to the general public -- governments and corporations. Anyone who pays attention to the government with respect to encryption for the past few years know that the government wants to design weakness into encryption standards so law enforcement can break it when it wants to.

Because most people in Shadowrun are going to buy their encryption from a third party (as opposed to designing it themselves), it is a very easy thing to attribute the ease of breaking the encryption to the idea of designed weakness. The corps who provide these encryption codes obviously want to be able to break them themselves.

Encryption ratings would then reflect two things -- one, the ease of using these "designed" weaknesses, and two, how widely disseminated the knowledge of the design weaknesses is.

A lower rated encryption might have very easily exploited weaknesses, with the exploit being widely disseminated because it is a very old code. A highly-rated encryption might be a fresh Ares' eyes-only encryption code, one that Ares wanted to be breakable only with the kind of resources Ares could bring to bear, and one that most people have never even heard of (so the info has limited distribution).

Schneier impressively "re-clarified" that security assumptions - however convincing they may appear - cannot be considered to be complete. I.e. they cannot regard every possibility. They are simply assumptions and by no means a guarantee. So one should be very careful to make statements about the efficiency of future encryption schemes based on current knowledge. Such statements turned out to be ridiculous at best in the past.

That's because Schneier's later writings about security aren't about cryptography. They're about practical security - which is a different topic. What he's saying is that even a cryptographic algorithim that cannot be broken isn't secure if it isn't used, or if the crptographic key isn't managed properly. Note further that he's trying to sell something - his monitored-by-humans internet security service.

Whatever terms you may use, it simply goes to show that the initial assessment of the problem was incomplete and therefore absurd. In this case it disregarded the human factor. Who knows what other factor it will be in the future? And 2070 is - in terms of applied cryptography - a very distant future.

Absolutely true. I think all those times should be possible depending on the rating of the encrypt program versus the rating of the decrypt program.

Oops, well I mean you are brute-forcing, so processor power matters a ton right?