[Perry E. Metzger: Re: [Mark (Mookie): Re: SSL message broken]]

[peiterz () BBN COM (Peiter Zatko)]

Perry writes:
[stuff deleted]
> Er, please get your facts correct here.

Er, that's why I posted the question here. As I asked for either a
confirmation or denial of the information I had been given. If I had
my facts straight I wouldn't be asking if they were correct now
would I...

> The version sold in the U.S. can use a 128 bit RC4 key, not a 1024 bit
> one. No one ever spoke of a 1024 bit key. As for the version
> downloadable on the net, there is no question of a "rumor", it always
> has used a 40 bit key and this has hardly been a secret.

I am not asking about the version downloadable on the net. I am asking
about their commercial domestic version.

> > This makes a lot of sense actually as throughput is very important for their
> > application and the difference between a 40bit key and 1024bit key is
> > substantial.

> What are you talking about? RC4 performs identically with any length
> of key, and furthermore the key used in the export/downloadable
> version is in fact 128 bits, except that all but 40 of the bits are
> 'leaked' by the protocol.

Not knowing the details on RC4 I will take your word on it until I get
a chance to research it.

> .pm

So pardon me for being 'dense' here but what happens when the 'net-able-
exportable version using the 40bit key talks to a domestic-commercial
version server that can handle the 128bit key... it syncs down to the
40bit and is thus insecure... right???

Sorry for the noise here folks, just trying to asses the whole situation.

PeiterZ
BBN Systems and Technologies