[RC5] 40 bit encryption, and what about implementation

Fuzzy Logic fuzzman at m-net.arbornet.org
Sat Mar 16 08:55:17 EST 2002

I assume you mean something like SSL.  It's done via a handshake, and
there is only one key used in the end, since the session key is symmetric.

If I remember correctly:

1) we first exchange specifics about what levels of authentication and
   encryption we support, as well as our public keys (usually RSA).

2) The client creates a "pre-master" key which is generated from all the
   data we've exchanged thus far (which might include authentication which
   I've left out of this discussion)

3) The client encrypts the pre-master key using the server's public key
   and sends it along

4) The server decrypts this with his private key, and both the client and
   the server perform the same operations on this pre-master to come up
   with a master secret.

5) Both the client and the server use this master secret to generate the
   symmetric session key which they will use to encrypt traffic from this
   point on.

This is pretty simplified, but it covers the basics.  There is no man in
the middle attack besides brute force.

Quidquid Latine dictum sit, altum videtur.
Si hoc legere scis, nimium eruditionis habes.
Vir sapit qui pauca loquitur.
Cras amet qui numquam amavit, quique amavit cras plus amet.
Uno itinere non potest perveniri ad tam grande secretum.

On Sat, 16 Mar 2002, Jeroen wrote:

> If i visit a website with 40 bit encryption, how do i know the site's
> key and how does the site mine?
> If there is a man in the middle attack, the key can be 2^40 bit long
> :-) but still insecure.

To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest

More information about the rc5 mailing list