[2150] in bugtraq
Re: [Mark (Mookie): Re: SSL message broken]
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Aug 21 22:44:27 1995
Date: Fri, 18 Aug 1995 12:42:39 -0400
Reply-To: perry@piermont.com
From: "Perry E. Metzger" <perry@piermont.com>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of "Fri, 18 Aug 1995 12:19:57 EDT."
<199508181616.KAA09707@crimelab.com>
Peiter Zatko writes:
> It has been rumored that the domestic version is also currently using
> a 40bit key and that Netscape had mentioned that they _will_ be using the
> 1024bit key (implying future tense).
Er, please get your facts correct here.
The version sold in the U.S. can use a 128 bit RC4 key, not a 1024 bit
one. No one ever spoke of a 1024 bit key. As for the version
downloadable on the net, there is no question of a "rumor", it always
has used a 40 bit key and this has hardly been a secret.
> This makes a lot of sense actually as throughput is very important for their
> application and the difference between a 40bit key and 1024bit key is
> substantial.
What are you talking about? RC4 performs identically with any length
of key, and furthermore the key used in the export/downloadable
version is in fact 128 bits, except that all but 40 of the bits are
'leaked' by the protocol.
.pm
