Bugtraq mailing list archives
[Perry E. Metzger: Re: [Mark (Mookie): Re: SSL message broken]]
From: peiterz () BBN COM (Peiter Zatko)
Date: Fri, 18 Aug 1995 14:43:59 EDT
Perry writes: [stuff deleted]
Er, please get your facts correct here.
Er, that's why I posted the question here. As I asked for either a confirmation or denial of the information I had been given. If I had my facts straight I wouldn't be asking if they were correct now would I...
The version sold in the U.S. can use a 128 bit RC4 key, not a 1024 bit one. No one ever spoke of a 1024 bit key. As for the version downloadable on the net, there is no question of a "rumor", it always has used a 40 bit key and this has hardly been a secret.
I am not asking about the version downloadable on the net. I am asking about their commercial domestic version.
This makes a lot of sense actually as throughput is very important for their application and the difference between a 40bit key and 1024bit key is substantial.
What are you talking about? RC4 performs identically with any length of key, and furthermore the key used in the export/downloadable version is in fact 128 bits, except that all but 40 of the bits are 'leaked' by the protocol.
Not knowing the details on RC4 I will take your word on it until I get a chance to research it.
.pm
So pardon me for being 'dense' here but what happens when the 'net-able- exportable version using the 40bit key talks to a domestic-commercial version server that can handle the 128bit key... it syncs down to the 40bit and is thus insecure... right??? Sorry for the noise here folks, just trying to asses the whole situation. PeiterZ BBN Systems and Technologies
Current thread:
- [Perry E. Metzger: Re: [Mark (Mookie): Re: SSL message broken]] Peiter Zatko (Aug 18)