Bugtraq mailing list archives

Re: [Mark (Mookie): Re: SSL message broken]

From: perry () piermont com (Perry E. Metzger)
Date: Fri, 18 Aug 1995 12:42:39 -0400


Peiter Zatko writes:

It has been rumored that the domestic version is also currently using
a 40bit key and that Netscape had mentioned that they _will_ be using the
1024bit key (implying future tense).


Er, please get your facts correct here.

The version sold in the U.S. can use a 128 bit RC4 key, not a 1024 bit
one. No one ever spoke of a 1024 bit key. As for the version
downloadable on the net, there is no question of a "rumor", it always
has used a 40 bit key and this has hardly been a secret.

This makes a lot of sense actually as throughput is very important for their
application and the difference between a 40bit key and 1024bit key is
substantial.


What are you talking about? RC4 performs identically with any length
of key, and furthermore the key used in the export/downloadable
version is in fact 128 bits, except that all but 40 of the bits are
'leaked' by the protocol.

.pm

Current thread:

[Mark (Mookie): Re: SSL message broken] Peiter Zatko (Aug 18)
- Re: [Mark (Mookie): Re: SSL message broken] Perry E. Metzger (Aug 18)
- <Possible follow-ups>
- Re: [Mark (Mookie): Re: SSL message broken] Rick Garvin (Aug 18)