This is what I got back so far from RC5 where there are crypto experts. And as the guy from GMDI? i forgot, something like that .nl, pointed out, it also matters whether it's SSL2 or SSL3 40bit encryption if I'm not mistaken. Hope you can do something with this info.
Appearantly, like stated below, it is less work to crack RC5 40 bits (which SSL probably uses) than it is to crack DES. Since DES can be cracked within 22 hours on distributed.net and that power can be compared with like $ 100.000 I ESTIMATE somebody with like 40.000 bucks can crack it in reasonable time. I guess the big question is this, if it gets cracked, who are they gonna hold responcible. If they are gonna hold you responcible I'd certainly think twice about this :-) Kind regards & happy holidays ---------- Forwarded Message ---------- Subject: Re: [RC5] Re: [PHP] PHP / SSL | for distributed.net OffTopic!!! Date: Fri, 21 Dec 2001 08:12:36 -0500 From: "Jeff Gilchrist" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> ----- Original Message ----- From: "TD - Sales International Holland B.V." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, December 21, 2001 12:34 PM Subject: [RC5] Re: [PHP] PHP / SSL | for distributed.net OffTopic!!! > <for the distributed.net people> > sorry this is OT but we would like to know what is more secure. > 40bit SSL or 56bit DES. The reason I'm asking is since DES has > been cracked under 22 hours 40bit SSL looks really insecure to me. > > Thanks in advance, sorry for the OT > </for the distributed.net people> First, you have to realise that SSL is not a crypto algorithm, it is a transport layer, so when you are talking about 40bit SSL you are most likely talking about 40bit RC5 encryption which is used in SSL. You can also have 56bit DES encryption in SSL, or a number of other algorithms if your SSL client/server supports it. Either way, using a 40bit key is MUCH less secure than using a 56bit key. Every time you increase the key length by a bit, it doubles the amount of possible keys to search through to crack it by brute force. A 56bit key has 65536 times more possible keys than a 40bit key. A 128bit key has 309485009821345068724781056 times more possible keys than a 40bit key. Remember with a brute-force attack you have to check all the keys to see if it is the correct one so the more possible keys there are, the longer it will take and the more work is involved. You should not use either 40bit or 56bit SSL since both are not considered secure. You should use 128bit SSL instead. There is no reason to use 40 or 56bit SSL any more since web servers and web browsers that support 128bit SSL are easily found. Modules like mod_ssl for Apache support 128bit encryption algorithms using the openssl library. If you only have the choice between 40bit SSL or 56bit SSL, then go for the 56bit version. Your traffic will not be securely protected but it is much more work to break DES than it is 40bit RC5 in SSL. Regards, Jeff. ------------------------------------------------------- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
