[RC5] 40 bit encryption, and what about implementation
fuzzman at m-net.arbornet.org
Sat Mar 16 08:55:17 EST 2002
I assume you mean something like SSL. It's done via a handshake, and
there is only one key used in the end, since the session key is symmetric.
If I remember correctly:
1) we first exchange specifics about what levels of authentication and
encryption we support, as well as our public keys (usually RSA).
2) The client creates a "pre-master" key which is generated from all the
data we've exchanged thus far (which might include authentication which
I've left out of this discussion)
3) The client encrypts the pre-master key using the server's public key
and sends it along
4) The server decrypts this with his private key, and both the client and
the server perform the same operations on this pre-master to come up
with a master secret.
5) Both the client and the server use this master secret to generate the
symmetric session key which they will use to encrypt traffic from this
This is pretty simplified, but it covers the basics. There is no man in
the middle attack besides brute force.
Quidquid Latine dictum sit, altum videtur.
Si hoc legere scis, nimium eruditionis habes.
Vir sapit qui pauca loquitur.
Cras amet qui numquam amavit, quique amavit cras plus amet.
Uno itinere non potest perveniri ad tam grande secretum.
On Sat, 16 Mar 2002, Jeroen wrote:
> If i visit a website with 40 bit encryption, how do i know the site's
> key and how does the site mine?
> If there is a man in the middle attack, the key can be 2^40 bit long
> :-) but still insecure.
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest
More information about the rc5