RE: Please review proposed rebuttal...

[C.M. Wong]

I believe you got it wrong on your last paragraph. The 512-bit key does not encrypt the data. The session key (DES) generated by the browser is the one which encrypts it. The RSA key is used to encrypt this session key. Does it only take 2 days to break a 128-bit DES key?? Not sure about this, but if it is so, then how come the US used to have export limitations {until recently}? I mean these guys must have a few crays lying around,  so 2 crays = 1 day, <g>.   Rgrds, Wong.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of me Sent: Tuesday, September 28, 1999 5:39 AM To: [EMAIL PROTECTED] Subject: Please review proposed rebuttal... To all, I know this is a little off topic, but I know a lot of you will be interested in helping me with this. Please review the following article for technical correctness. It is at best, my amateur compilation of inputs I received over the past few weeks from many different security related newsgroups. Hopefully, this will calm the storm generated by the clueless reporting of the "512-bit RSA key cracked" event. Keep in mind the audience for this article is the general public and those reporters that have "reported" on this event. Please let me know your comments/opinions. Thanks in advance, Michael Sorbera Webmaster Randolph-Brooks Federal Credit Union Here's my proposed article: A team of researchers, numbering in the hundreds, combined with over 300 awesome computers working over a seven-month period demonstrated that using their combined resources the capability exists to "crack" the 512-bit RSA key. This 512-bit key is currently used largely by E-Commerce sites that want to be able to do business internationally. Most of the U.S. based financial institutions have already made the upgrade to the 1024-bit RSA key. The actual 512-bit RSA key was not cracked. A 155-digit number that is the same length as the number for the 512-bit key was factored to its prime numbers. So the "actual" key was not factored or cracked, but a number similar to it was. The researchers demonstrated to the World that the key could be cracked, not that it was cracked. To actually crack the key, someone will have to duplicate the efforts of the researchers on the actual key. Most of the folks involved in this endeavor would not participate in an actual attack on a key. This 512 or 1024-bit RSA key is only one level of protection given to transactions on the Internet. Almost all public transactional Web sites use SSL (Secured Sockets Layer) to encrypt the data. In SSL, once the data is encrypted using the 512 or 1024-bit RSA key, it is encrypted again with ANOTHER key that’s generated by the browser. This other key is different every time you initiate an SSL session. For those browsers using 128-bit Strong U.S. encryption, a Cray super computer can crack it in 2 days. The average group of folks would have to get together 30 or so computers, running in parallel, teamed up with about 5 people at least 2 weeks of 24 hour a day operation to "crack" this second key.