Francis DeLaMaza wrote:
>
> Greg,
>
> Based on what I've discovered so far, and your feedback, it seems that the
> best approach is to tweek the default keylegth of the RC4/SHA ciphersuite.
> This cipher method comes standard under SSL v3/TLS1 at 56-bit and 128-bit
> functionality.
>
> It doesn't seem that it should take much more than a modification to the
> default key-length of these particular cryptosuites. After which the
> modified openSSL could then be used to drive the apache secureserver and
> konqueror browser to complete the two ends of the communication.
>
> I'm sure, that one of the devlopers of openSSL would know exactly where to
> make the surgical modifications that would allow for this functionality.
>
> Does this make sense, or am I overlooking something?
>
Well the key sizes are fixed in the TLS/SSL standards. If you change
them the server and client is broken and no longer compliant.
You can't just use a new cipher with a different keysize because it wont
have a standard number assigned to it.
You could use an experimental ciphersuite number for a new ciphersuite
which would then only interop with something that uses the same
experimental number.
AES (the Advanced Encryption Standard: a symmetric cipher) already
supports keys sizes of 192 and 256 bits and is supported in the
development version of OpenSSL.
However the question remains: why would you need anything larger than
128 bits?
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
