Mozilla has full-strength 128-bit SSL available for export now, so you
shouldn't have any reason to use the 40-bit version. If an 88 bit key is
generated from a 40-bit secret, the resulting key is only as strong as a
40-bit key, regardless of its actual length. It's like having a 4-digit
PIN where each digit must be a 1, 2, or 3 - there are a lot fewer
possible keys that way.
-Mitch
Daniel Luebke wrote:
> Hi!
>
> I'm wondering about the strength of RC4-Export in SSL.
> As far as I understand, the crypto-routines are taking a 40-bit-secret
> and are generating 88 bits by using md5 on the random numbers used
> within the handshaking, so that a 128-bit key can be used to encrypt the
> ssl-traffic.
> Where is the disadvantage compared to a "real" 128-bit-key?
>
> thanks in advance
>
> Daniel Luebke
>
