[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: [Webappsec] weak ssl ciphers

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Re: [Webappsec] weak ssl ciphers
Date: Mon, 7 Apr 2008 12:41:39 -0700

Travis -- Google RSA's challenges. The EFF and the distributed.net's
cipher-cracking challenges should be listed there.

The team I was on cracked 40 bit SSL in something like 17 days
IIRC, circa 1998 (let's hear it for OS/2). That was the year they
put the ban on 128-bit export up for referendum and auto-expired
the law the end of 1999 (again, IIRC).

Right around that time, someone with a purpose-built hardware cracker
ripped through it in something like 3 hours. The NSA never objected
to any of this, so I think it's safe to assume they have equal if not
superior hardware to what hobbyists can build.

The numbers from cracking challenges 1997-2000 are pretty
impressive as they stand.

Google around for the alleged key cycle crunching ability of
using the PS/3 as a dedicated cracker if you want modern
examples. It is entirely feasible to build a keyspace distribution
mechanism to use a dozen or so in parallel too (you kind of
have to to properly utilize the cell processor on one).

Considering it's 2008, I think it's safe to assume that the
last decade has provided enough computing power
advancements that the record 3+ hour time for cracking
40 bit SSL has been reduced.

-- 
-- 
Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet vapid chicks
concerned with those tasty animals

On Mon, Apr 7, 2008 at 11:56 AM, Travis Altman <travisaltman@xxxxxxxxx> wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this?  i would like to have
> this documentation for recommendations on disabling weak ciphers.
>
> _______________________________________________
>  Webappsec mailing list
>  Webappsec@xxxxxxxxxxxxxxx
>  https://lists.owasp.org/mailman/listinfo/webappsec
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] weak ssl ciphers
  - From: Travis Altman

Prev by Date: [WEB SECURITY] Invitation - OWASP AppSec Europe May 19-22 2008 - Belgium
Next by Date: Re: [WEB SECURITY] Attack Technique: File Download Injection
Previous by thread: [WEB SECURITY] Re: [Webappsec] weak ssl ciphers
Next by thread: [WEB SECURITY] Attack Technique: File Download Injection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site