Go to google and search for 'article 40-bit secure' or something. I found a
couple of articles in about ten seconds.
If you want professional opinions (from people who know what they're talking
about, rather than journalists ;) then you might want to ask on a crypto
list, although I'm sure you'll get plenty of answers here.
If you're running your website on IIS on Windows then insisting on 128-bit
encryption is probably silly, from a security standpoint. You're about 99.9%
more likely to be compromised through an IIS attack.
However, consumers are actually starting to learn that 128 == good, so
you'll find that many people will not use your site if it's only 40-bit. The
potential customers you'll lose, by the way, by insisting on 128-bit are
almost all outside the US - I don't know if that's important to your
marketroids. Browsers have been 128-bit capable in the US for about five
years.
All in all, this probably isn't a security argument. I'd use 128-bit
encryption because it's an important checkbox - all e-commerce sites (that
I've seen) support 128-bit (although not all _require_ it). That's in
Australia, by the way, and we've only had Uncle Sam trust us with 128-bit
encryption for about 3 years (because we're obviously all drug dealers and
terrorists), so it's far more likely that browsers will break over here.
By the way, if you ever have information compromised through a 40-bit
encryption break, you'll probably be world famous, because I've never heard
of it happening in the real world before (only in "challenge" situations).
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Diane Wood [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 6:06 AM
> To: [EMAIL PROTECTED]
> Subject: 128-bit encryption battle with sales force
>
>
> Can anyone help me with published references clearly stating
> that 128-bit encryption and 1024-bit certificates are
> recommended in an e-commerce solution? Or, in opposition,
> something that explicitly states that 40-bit is a
> respectable/secure choice for e-commerce?
>
> I have enabled strong encryption on our current e-commerce
> website and inadvertantly started a major battle between our
> vendor sales manager and myself. The vendor is concerned
> they are losing potential customers (money) with the 128-bit
> requirement, and claiming to my management that I am being
> too paranoid.
>
> My management is siding with the sales force and I've been
> told to roll encryption back to 40-bit unless I can
> substantiate my claim that strong encryption is required to
> be industry standard for online e-commerce solutions.
>
> Any help would be greatly appreciated!
>
> Thanks,
>
> Diane Wood
> Internet & Network Security Services
> Florida Department of Highway Safety & Motor Vehicles
> [EMAIL PROTECTED]
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
