[WEB SECURITY] Re: [Webappsec] weak ssl ciphers

Tim tim-webappsec at sentinelchicken.org
Mon Apr 7 15:15:40 EDT 2008


Hello Travis,

On Mon, Apr 07, 2008 at 02:56:12PM -0400, Travis Altman wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this?  i would like to have
> this documentation for recommendations on disabling weak ciphers.

I'm not sure how long this would take on a typical system nowadays.
Hopefully someone will chime in with some numbers.

A related question that I would like to bring up:  Given that RC4 is
commonly available as a weak/export cipher, does anyone know how hard it
would be to attack RC4's weak IV issues to divulge a key more quickly?
Would it be possible to gather enough IVs quickly enough to make it
worth the effort instead of just brute forcing the key directly?

cheers,
tim

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list