[WEB SECURITY] Re: [Webappsec] weak ssl ciphers

Arian J. Evans arian.evans at anachronic.com
Mon Apr 7 15:41:39 EDT 2008

Travis -- Google RSA's challenges. The EFF and the distributed.net's
cipher-cracking challenges should be listed there.

The team I was on cracked 40 bit SSL in something like 17 days
IIRC, circa 1998 (let's hear it for OS/2). That was the year they
put the ban on 128-bit export up for referendum and auto-expired
the law the end of 1999 (again, IIRC).

Right around that time, someone with a purpose-built hardware cracker
ripped through it in something like 3 hours. The NSA never objected
to any of this, so I think it's safe to assume they have equal if not
superior hardware to what hobbyists can build.

The numbers from cracking challenges 1997-2000 are pretty
impressive as they stand.

Google around for the alleged key cycle crunching ability of
using the PS/3 as a dedicated cracker if you want modern
examples. It is entirely feasible to build a keyspace distribution
mechanism to use a dozen or so in parallel too (you kind of
have to to properly utilize the cell processor on one).

Considering it's 2008, I think it's safe to assume that the
last decade has provided enough computing power
advancements that the record 3+ hour time for cracking
40 bit SSL has been reduced.

Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet vapid chicks
concerned with those tasty animals

On Mon, Apr 7, 2008 at 11:56 AM, Travis Altman <travisaltman at gmail.com> wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this?  i would like to have
> this documentation for recommendations on disabling weak ciphers.
> _______________________________________________
>  Webappsec mailing list
>  Webappsec at lists.owasp.org
>  https://lists.owasp.org/mailman/listinfo/webappsec

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list