[538] in WWW Security List Archive
Re: Netscape and 40 bit encryption
daemon@ATHENA.MIT.EDU (Mark C. Davis ((919)254-7865))
Sat Mar 25 15:59:56 1995
Date: Sat, 25 Mar 95 12:33:06 EST
From: "Mark C. Davis ((919)254-7865)" <davismc@vnet.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Pardon me, but the way I read the SSL specification, the only restriction
to 40 bits is the symmetric key bulk encryption algorithm. This is not
the strongest key length, but is not trivial to break. Authentication
is still really based on standard X.509 certificates, with key lengths
reasonable for public keys.
(Depending on which paper you read, a 56 bit symmetric key is roughly
equivalent in strength to a several hundred bit (512 to 1024) public
key. Thus a 40 bit public key would be a joke, but a 40 bit DES (CDMF), RC 2
or IDEA key would be nice for casual communication (personal privacy, but
not large monetary transactions).)
Thanks - Mark