[WEB SECURITY] Re: [Webappsec] weak ssl ciphers

Arian J. Evans arian.evans at anachronic.com
Mon Apr 7 15:41:39 EDT 2008


Travis -- Google RSA's challenges. The EFF and the distributed.net's
cipher-cracking challenges should be listed there.

The team I was on cracked 40 bit SSL in something like 17 days
IIRC, circa 1998 (let's hear it for OS/2). That was the year they
put the ban on 128-bit export up for referendum and auto-expired
the law the end of 1999 (again, IIRC).

Right around that time, someone with a purpose-built hardware cracker
ripped through it in something like 3 hours. The NSA never objected
to any of this, so I think it's safe to assume they have equal if not
superior hardware to what hobbyists can build.

The numbers from cracking challenges 1997-2000 are pretty
impressive as they stand.

Google around for the alleged key cycle crunching ability of
using the PS/3 as a dedicated cracker if you want modern
examples. It is entirely feasible to build a keyspace distribution
mechanism to use a dozen or so in parallel too (you kind of
have to to properly utilize the cell processor on one).

Considering it's 2008, I think it's safe to assume that the
last decade has provided enough computing power
advancements that the record 3+ hour time for cracking
40 bit SSL has been reduced.

-- 
-- 
Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet vapid chicks
concerned with those tasty animals




On Mon, Apr 7, 2008 at 11:56 AM, Travis Altman <travisaltman at gmail.com> wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this?  i would like to have
> this documentation for recommendations on disabling weak ciphers.
>
> _______________________________________________
>  Webappsec mailing list
>  Webappsec at lists.owasp.org
>  https://lists.owasp.org/mailman/listinfo/webappsec
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list