Any crypto geeks out there?
What is the "512 bit RSA encryption module"? Has anyone seen this article?
Michael - do you have a reference?
I'm not sure what the supposed implications of this are, but I'm pretty sure
that if RSA had finally been compromised there would be many more people off
their rice crispies than just people buying stamps on the Internet...
Before I get to the long bit, someone check me on this - does SSL provide
PFS? What are the attacks against the key exchange? Does private key
compromise lose you the game for sure?
Michael - here is some crypto primer...
RSA is asymmetric - each "key" can EITHER open the lock OR close it - NOT
both. That means that you get a public key and a private key. Encrypting
something with RSA means that only the private key that corresponds to the
public key that encrypted it can decrypt it again. You don't care who has
your public key - it can only be used to send encrypted stuff to you. It's
your private key - the one that decrypts stuff - that's ultra secret. RSA
private keys are monstrously long. Being monstrously long, they take a while
to do their thing. PGP is the same style of crypto, by the way.
Because it's not practical to encrypt every bit (err, packet) of data with
RSA or a similar alg. (way too slow - see above) the compromise used by lots
of this kind of session based crypto is to use smaller keys. These keys are
symmetric - the key closes AND opens the lock. If each guy has a copy of the
key, each guy can decrypt the data at the other end. These keys are small -
40, 56, 168 bits (or something). Because they are small (and because they do
different kinds of math) they work really quickly. This is good, but they
can be cracked.
So, in brief terms, we lock up our small, fast, short lifetime key with big,
slow, mega-secure keys. We then send em over to the other guys, and use them
for one "session". All the actual STUFF (transactions, data traffic, credit
cards numbers and whotnot) is ecrypted with the session key - NOT the RSA
keys. Once we've used them, we throw them in the bin because, in theory,
some Evil Person has been working like a bastard to crack them and will
succeed in between 24 hours and a few weeks.
There is another concept which you sort of dance around, called "Perfect
Forward Secrecy". The idea of PFS is that if a key gets compromised, it
would be BAD if people could then use this to compromise any other
transactions made with that key. A system provides PFS if and only if key
compromise will not compromise any other session (past or future).
Now I'm NOT a crypto geek, so this next bit (which is the bit you really
want to know) may not be completely accurate. I think (hope) that each
session key generated by SSL is tied to other factors than the RSA private
key. So, say your RSA private key gets compromised, this does not
neccessarily mean that they can just walk through every _packet_ from then
on and decypt all your stuff. HOWEVER, if they could see the key exchange at
the start of each transaction, however, they could probably puzzle it out.
The moral of the story is: don't lose your private key.
Cheers,
Oh, and Boyd - I don't ever want to hear the phrases "impossible to break"
or "trillion-trillion years" (in relation to crypto) again. ;)
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 04, 1999 5:05 AM
To: [EMAIL PROTECTED]
Subject: Does SSL use RSA keys?
To all that have a clue,
Please help clarify two points. If this is a little off for this list,
please excuse. I know you folks out there know the answers.
Does SSL use RSA keys?
In SSL, is the key generated each time a browser initiates a session?
Or if someone has the "crack" for a certain key, can they then decrypt
all messages coded with that key?
What started all this? An article I read said that the 512 bit RSA
encryption module had been cracked. The headline of the article said
that "the standard used to encrypt financial transactions on the
Internet is no longer secure."
My impression was that the RSA keys are used in PGP and a lot of VPN
networks, and that the SSL keys are not the same.
Please clarify.
Thanks,
Michael Sorbera
Webmaster
Randolph-Brooks Federal Credit Union
"In the land of the clueless, he who has half a clue is King!"
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
