[RC5] 40 bit encryption, and what about implementation

Greg Wooledge greg at wooledge.org
Sat Mar 16 09:26:32 EST 2002

Jeroen (v.d.burg at planet.nl) wrote:

> If i visit a website with 40 bit encryption, how do i know the site's
> key and how does the site mine?  If there is a man in the middle
> attack, the key can be 2^40 bit long :-) but still insecure.

That's where the certificate authorities (CAs) come in.  If the
certificate (public key) you get from a site is signed by a CA that your
web browser trusts, then you are supposed to feel some sort of warm fuzzy
assurance that there was no MITM attack.  Of course, this assumes that
the CA is trustworthy.

The remote site, of course, has no way of knowing whether it can trust
*you*.  But usually that's not an issue for them -- as long as you give
them a valid credit card number and shipping/billing address, they'll
happily take the money. :)

Greg Wooledge                  |   "Truth belongs to everybody."
greg at wooledge.org              |    - The Red Hot Chili Peppers
http://wooledge.org/~greg/     |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.distributed.net/pipermail/rc5/attachments/20020316/85ea6df2/attachment-0001.bin

More information about the rc5 mailing list