Security Basics mailing list archives
Re: 40-bit VS 128-bit Encryption
From: "phil baskers" <phil () baskerville cjb net>
Date: Mon, 23 Jun 2003 03:30:23 +1200
Morning, I am not fully up to date with US law but I believe that it is illegal to "export" encryption stronger than 56 bits from the US with the inclusion of a backdoor "for law enforcement". If no backdoor, the limit is 40 bits. These figures are old and I cannot guarantee that they are up to date but can imagine the law would have been changed since 9-11. Basically, whatever encryption level you set for the website, it will not make much difference for the strength of the encryption. Chances are that if someone wants to break in they will but encryption may slow someone down enough so that they loose interest. As pointed out previously, there are many aspects in dealing with a web presence security. Usernames and passwords encryption should not be an end-all. Regular backups, physical security, server integrity, etc... I am an information science student and my security lecturer's words sum it up. "It may be secure today, but who knows about tomorrow, just back it up tonight" cheers, Phil Student Otago New Zealand If interested more in encryption law... http://www.banned-books.com/truth-seeker/1994archive/121_3/ts213c.html Agents from the U.S. Customs Service visited Zimmerman in February 1993 to ask him about the "export" of PGP. Under the current interpretation of the International Traffic in Arms Regulations, cryptographic software like PGP is classified as "munitions" and cannot be legally exported without permission from the federal government. "The mere posting of encryption software is tantamount to exporting it," explains Danny Weitzner of the Electronic Frontier Foundation. http://www.lawnotes.com/encrypt.htm The export and reexport of 56-bit key length DES or equivalent strength encryption items is now permitted under the authority of a special License Exception - if the exporter makes satisfactory commitments to build and/or market recoverable encryption items (i.e., "back door" capability for law enforcement) ----- Original Message ----- From: "Paul Benedek" <paul.benedek () excis co uk> To: "'Stephen Bock'" <sbock () smchcn net>; <security-basics () securityfocus com> Sent: Saturday, June 21, 2003 7:50 AM Subject: RE: 40-bit VS 128-bit Encryption Hello Stephen, 40 Bit encryption has been broken, however it is unlikely that the average hacker has the capabilities to decrypt 40 bit traffic. If your data is not highly sensitive, then 40 bit encryption may suffice. Encryption alone will not protect you however, if you are sending passwords and usernames make sure that they are strong passwords and are changed regularly as well and that you have an enforceable security policy that ensures this. Regards, Paul Benedek Director Excis Networks Limited http://www.excis.co.uk -----Original Message----- From: Stephen Bock [mailto:sbock () smchcn net] Sent: 19 June 2003 18:22 To: security-basics () securityfocus com Subject: 40-bit VS 128-bit Encryption I am setting up a secure website and i was wondering which would be better to use, 40-bit or 128-bit? Obviously, 128-bit would be stronger and not easily crackable, but it is also more expensive. Does anybody know if 40 or 128-bit has been cracked yet? I'm not going to be transmitting any credit card info over the net, but i will be sending username, password, etc. What are your thoughts? ---------------------------------- Stephen Bock Information Technology/Webmaster Samaritan Ministries International --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- 40-bit VS 128-bit Encryption Stephen Bock (Jun 20)
- RE: 40-bit VS 128-bit Encryption Richard Parry (Jun 21)
- Re: 40-bit VS 128-bit Encryption Adam Newhard (Jun 21)
- RE: 40-bit VS 128-bit Encryption Paul Benedek (Jun 21)
- Re: 40-bit VS 128-bit Encryption phil baskers (Jun 23)
- <Possible follow-ups>
- RE: 40-bit VS 128-bit Encryption DeGennaro, Gregory (Jun 21)
- RE: 40-bit VS 128-bit Encryption Allan Schon (Jun 21)
- RE: 40-bit VS 128-bit Encryption Jonathan Grotegut (Jun 24)
- RE: 40-bit VS 128-bit Encryption Joseph Mathews (Jun 25)
- Re: 40-bit VS 128-bit Encryption Olivier DEBRE (Jun 25)
- RE: 40-bit VS 128-bit Encryption Joseph Mathews (Jun 25)
- RE: 40-bit VS 128-bit Encryption Cushing, David (Jun 25)
- RE: 40-bit VS 128-bit Encryption Alexandre . Steinberg (Jun 25)