Thanks that's great. The "month or two" was the sort of thing I wanted to 
hear. That's fine for my situation as the data isn't particularly 
sensitive.
By the way, BTTrustwise do sell 128bit certificats here in the UK (£500).
walter

-----Original Message-----
From: Neale, Chris [mailto:chris.neale@t...]
Sent: 31 January 2001 09:06
To: Security_asp
Subject: RE: Just how secure is secure


Theres no such thing as secure.

A bold statement. But a true one too. SSL security uses an RSA encryption
algorithm that would take you or me ages to crack. Whether its 40 bit or 128
its a bit hard. However.. You and I don't have very much technical resources
to hand. Sitting around me is a network of about 30 PCs, each in the 500MHz+
128Meg RAM range. Using this sort of network would take a month or two of
distributed resources to break 40bit encryption. As an example, the RC56
Challenge (a test to break 56 bit encryption) took a distributed network of
hundreds of PC around 3 months to break.

However..

The likes of a government or large corporation has the resources to break 40
bit encryption in hours, maybe less. Thats just using what methods are in
the public domain. Recently the RSA encryption algorithm came into the
public domain (copyright/patent ran out). The usual parties, such as the
NSA, MI5 and so on, didn't say a word. To a paranoid X-Files fan such as
myself this sounds like they aren't bothered by it. Is that because they
have a method of breaking it using something more than brute force? Who
knows?

In the end though the answer is simple. 40 bit encryption can't kill people.
128 bit can. At least, thats what the US government used to believe. 128 bit
encryption was deemed 'munnitions', a weapon, by the Senate. They thought
that by controlling the proliferation of encryption technology they would
have the upper hand in a state of emergency (such as WWIII). To this end
they slapped a law saying that software with a level of encryption of
56bits+ had to have a special license for exporting to countries outside of
the USA. Hence us Europeans, I live in england, got 40bit encryption. Still
enough to foil your average script-kiddie but breakable nonetheless.

In answer to queries from customers I tend to say that the higher the number
the better it is. However, the higher the number the higher the price. Don't
forget though, SSL only encrypts the data while its travelling to and fro
over the internet. On the client and the server there will always be a stage
that involves unencrypted data.. this is *much* more likely to be the point
of an attack than anywhere else.

Chris


> Hi,
> I've a question about server certificates and SSL.
>
> My site uses a 40 bit certificate and I notice that most
> e-tail sites protect credit card numbers to this level too.
> Now, when I
> use my internet banking account, I see they're using 128 bit
> encryption.
>
> I thought standard SSL (by which I mean 40 bit) was basically
> "uncrackable" because it would take a ridiculous amount of computer
> time to decrypt is. That sounds fine, but the jump from 40 to
> 128 bit sounds pretty big. Why make a code that's unbreakable even
> more unbreakable? Is this just a marketing thing?
>
> When my customers ask about security, how would you reply?
>
> Looking forward to your opinions.
> walter

________________________________________________________________________

TNL (TM) - The Next Level Systems Ltd
http://www.tnl.co.uk