[WEB SECURITY] Re: [Webappsec] weak ssl ciphers
Tim
tim-webappsec at sentinelchicken.org
Mon Apr 7 15:15:40 EDT 2008
Hello Travis,
On Mon, Apr 07, 2008 at 02:56:12PM -0400, Travis Altman wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this? i would like to have
> this documentation for recommendations on disabling weak ciphers.
I'm not sure how long this would take on a typical system nowadays.
Hopefully someone will chime in with some numbers.
A related question that I would like to bring up: Given that RC4 is
commonly available as a weak/export cipher, does anyone know how hard it
would be to attack RC4's weak IV issues to divulge a key more quickly?
Would it be possible to gather enough IVs quickly enough to make it
worth the effort instead of just brute forcing the key directly?
cheers,
tim
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list