[7585] in cryptography@c2.net mail archive
Re: actual deployment of various PK & Key-exchange algorthms?
daemon@ATHENA.MIT.EDU (Eric Murray)
Thu Jul 27 18:37:39 2000
Date: Thu, 27 Jul 2000 09:38:22 -0700
From: Eric Murray <ericm@lne.com>
To: Jeff.Hodges@stanford.edu
Cc: cryptography@c2.net
Message-ID: <20000727093822.I21049@slack.lne.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <200007271614.JAA11068@breakaway.Stanford.EDU>
On Thu, Jul 27, 2000 at 09:14:11AM -0700, Jeff.Hodges@stanford.edu wrote:
>
> A colleague asked yesterday "I wonder how much Diffie-Hellman is actually
>used?", as we were sitting around talking about authentication (in particular)
> and security (in general) protocols.
>
>So I'm curious, are there any studies on what is actually deployed "out there"
> and/or available in products -- qualified as the set of algorithms discussed
> in Chapters 19 and 22 of Applied Cryptography 2nd Ed?
>
> I suppose that a bunch of what's "out there" is under wraps and so data isn't
> available, but commercial-off-the-shelf stuff generally touts what
> algorithms/protocols it implements.
I just completed a survey of deployed SSL server security, and one of
the things I looked at is the support for the different ciphersuites.
While SSL/TLS != all crypto, it's probably the most common protocol, so
my results might give you some idea of how much DH and other algorithms
are supported.
I found that 38% of the servers in my study were insecure-
they used weak 40-bit ciphersuites, 512-bit or smaller keys, self-signed
certs or had an expired cert (or had more than one of these insecurities).
That's pretty awful.
http://www.lne.com/ericm/papers/ssl_servers.html
The stats for ciphersuites supported is on the 'detailed results' page
along with a list of the weak servers I found. There's also
a form for checking the security of an SSL server.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards.
