[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: [Webappsec] weak ssl ciphers

From: Tim <tim-webappsec@xxxxxxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Re: [Webappsec] weak ssl ciphers
Date: Mon, 7 Apr 2008 12:15:40 -0700

Hello Travis,

On Mon, Apr 07, 2008 at 02:56:12PM -0400, Travis Altman wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this?  i would like to have
> this documentation for recommendations on disabling weak ciphers.

I'm not sure how long this would take on a typical system nowadays.
Hopefully someone will chime in with some numbers.

A related question that I would like to bring up:  Given that RC4 is
commonly available as a weak/export cipher, does anyone know how hard it
would be to attack RC4's weak IV issues to divulge a key more quickly?
Would it be possible to gather enough IVs quickly enough to make it
worth the effort instead of just brute forcing the key directly?

cheers,
tim

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] weak ssl ciphers
  - From: Travis Altman

Prev by Date: [WEB SECURITY] weak ssl ciphers
Next by Date: [WEB SECURITY] Attack Technique: File Download Injection
Previous by thread: [WEB SECURITY] weak ssl ciphers
Next by thread: [WEB SECURITY] Re: [Webappsec] weak ssl ciphers
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site