Encrypted sessions
Nicholas Bohm
nbohm at ernest.net
Mon, 22 Feb 1999 10:45:03 +0000
At 07:06 PM 2/20/1999 +0000, Ben Laurie wrote:
>Nicholas Bohm wrote:
[snip]
>> Lastly, is it right to assume that in all these cases the key negotiation
>> process itself is secure, and that only the strength of the resulting key
>> is what is affected by the limitations?
>
>Yes. BTW, what is commonly known as a 40 bit key is actually a 128 bit
>key of which 88 bits have been revealed to sniffers during session
>setup. This avoids the dictionary attacks that would be available with a
>true 40 bit key.
>
>However, it is worth noting that the public/private keypair are also
>limited in export-crippled s/w to 512 bits.
Is that limitation overriden by a Verisign certificate enabling use of
128-bit symmetric keys? If not, the protection for the key negotiation
seems weaker than the resulting key.
And when you say "88 bits have been revealed to sniffers", could you
explain further: whose sniffers? Who can get access to the 88 bits?
Regards,
Nicholas Bohm
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 871272 (+44 1279 871272)
Fax 01279 870215 (+44 1279 870215)
Mobile 0860 636749 (+44 860 636749)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF