[RC5] Re: [PHP] PHP / SSL | for distributed.net OffTopic!!!

TD - Sales International Holland B.V. td at salesint.com
Fri Dec 21 18:34:51 EST 2001


On Thursday 20 December 2001 15:32, Shane Wright stuffed this into my mailbox:

<for the distributed.net people>
sorry this is OT but we would like to know what is more secure. 40bit SSL or 
56bit DES. The reason I'm asking is since DES has been cracked under 22 hours 
40bit SSL looks really insecure to me.

Please send this to php-general at lists.php.net as well (if you don't I will 
though :-)) Reply-All might do it.

Thanks in advance, sorry for the OT
</for the distributed.net people>


Whow, I'd have to check that :-) any crypto people here? :-) bitwise 56 is > 
40. Mathematically it would take a lot less time to brute force 40 bit than 
it would 56 bit. 
40 bit = (2^40) 1.0995116278e+12 (1.099.511.627.800 possible options)
56 bit = (2^56)  7.2057594038e+16 (72.057.594.038.000.000 possible options)
I'm am no crypto expert whatsoever, but it looks to me like you're done a lot 
faster if you only have to test for only 1.099.511.627.800 keys than for 
72.057.594.038.000.000. The 56bit keys were cracked under 22 hours several 
times far as I know. Ofcourse this is also a quesion of luck. You might be a 
real lucky ass and get the correct key the first try. Then again you might be 
an unlucky ass and get the key at the last one to try.....
Once again, I'm NO crypto expert whatsoever. But it appears to me that 40bit 
encryption can't have more keys than that fit in 40 bits? Then again, maybe 
they mix several alghorythms........ I'd have to check.. I'm also sending 
this to distributed.net mailing lists. There are some crypto experts there, 
maybe they can shed some light on it.

> Hang on, correct me if I'm wrong, but isn't 56bit DES significantly
> different from 40-bit SSL  (which uses a 40bit key for the public key
> crypto and something like a 3000bit key for the symmetric cipher used for
> the actual data transfer).
>
> What I mean is, DES is significantly weaker than the weakest part of
> standard 40bit SSL yes?
>
> If I'm wrong, arent a lot of people putting a lot of confidence in
> something that really isnt secure (i.e. all SSL sessions...)??
--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list