[RC5] Re: [PHP] PHP / SSL | for distributed.net OffTopic!!!

Jeff Gilchrist jeffg at cips.ca
Fri Dec 21 08:12:36 EST 2001


----- Original Message -----
From: "TD - Sales International Holland B.V." <td at salesint.com>
To: <me at shanewright.co.uk>; <php-general at lists.php.net>
Cc: <rc5 at lists.distributed.net>
Sent: Friday, December 21, 2001 12:34 PM
Subject: [RC5] Re: [PHP] PHP / SSL | for distributed.net OffTopic!!!


> <for the distributed.net people>
> sorry this is OT but we would like to know what is more secure.
> 40bit SSL or 56bit DES. The reason I'm asking is since DES has
> been cracked under 22 hours 40bit SSL looks really insecure to me.
>
> Thanks in advance, sorry for the OT
> </for the distributed.net people>

First, you have to realise that SSL is not a crypto algorithm, it is a
transport layer, so when you are talking about 40bit SSL you are most
likely talking about 40bit RC5 encryption which is used in SSL.  You can
also have 56bit DES encryption in SSL, or a number of other algorithms if
your SSL client/server supports it.

Either way, using a 40bit key is MUCH less secure than using a 56bit key.
Every time you increase the key length by a bit, it doubles the amount of
possible keys to search through to crack it by brute force.  A 56bit key
has 65536 times more possible keys than a 40bit key.  A 128bit key has
309485009821345068724781056 times more possible keys than a 40bit key.
Remember with a brute-force attack you have to check all the keys to see
if it is the correct one so the more possible keys there are, the longer
it will take and the more work is involved.

You should not use either 40bit or 56bit SSL since both are not considered
secure.  You should use 128bit SSL instead.  There is no reason to use 40
or 56bit SSL any more since web servers and web browsers that support
128bit SSL are easily found.  Modules like mod_ssl for Apache support
128bit encryption algorithms using the openssl library.

If you only have the choice between 40bit SSL or 56bit SSL, then go for
the 56bit version.  Your traffic will not be securely protected but it is
much more work to break DES than it is 40bit RC5 in SSL.

Regards,
Jeff.



--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list