----- Original Message -----
From: "TD - Sales International Holland B.V." <[EMAIL PROTECTED]>
Sent: Friday, December 21, 2001 12:34 PM
Subject: [RC5] Re: [PHP] PHP / SSL | for distributed.net

> <for the distributed.net people>
> sorry this is OT but we would like to know what is more secure.
> 40bit SSL or 56bit DES. The reason I'm asking is since DES has
> been cracked under 22 hours 40bit SSL looks really insecure to me.
> Thanks in advance, sorry for the OT
> </for the distributed.net people>

First, you have to realise that SSL is not a crypto algorithm, it is a
transport layer, so when you are talking about 40bit SSL you are most
likely talking about 40bit RC5 encryption which is used in SSL.  You can
also have 56bit DES encryption in SSL, or a number of other algorithms if
your SSL client/server supports it.

Either way, using a 40bit key is MUCH less secure than using a 56bit key.
Every time you increase the key length by a bit, it doubles the amount of
possible keys to search through to crack it by brute force.  A 56bit key
has 65536 times more possible keys than a 40bit key.  A 128bit key has
309485009821345068724781056 times more possible keys than a 40bit key.
Remember with a brute-force attack you have to check all the keys to see
if it is the correct one so the more possible keys there are, the longer
it will take and the more work is involved.

You should not use either 40bit or 56bit SSL since both are not considered
secure.  You should use 128bit SSL instead.  There is no reason to use 40
or 56bit SSL any more since web servers and web browsers that support
128bit SSL are easily found.  Modules like mod_ssl for Apache support
128bit encryption algorithms using the openssl library and work great with

If you only have the choice between 40bit SSL or 56bit SSL, then go for
the 56bit version.  Your traffic will not be securely protected but it is
much more work to break DES than it is 40bit RC5 in SSL.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to