----- Original Message ----- From: "TD - Sales International Holland B.V." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, December 21, 2001 12:34 PM Subject: [RC5] Re: [PHP] PHP / SSL | for distributed.net
> <for the distributed.net people> > sorry this is OT but we would like to know what is more secure. > 40bit SSL or 56bit DES. The reason I'm asking is since DES has > been cracked under 22 hours 40bit SSL looks really insecure to me. > > Thanks in advance, sorry for the OT > </for the distributed.net people> First, you have to realise that SSL is not a crypto algorithm, it is a transport layer, so when you are talking about 40bit SSL you are most likely talking about 40bit RC5 encryption which is used in SSL. You can also have 56bit DES encryption in SSL, or a number of other algorithms if your SSL client/server supports it. Either way, using a 40bit key is MUCH less secure than using a 56bit key. Every time you increase the key length by a bit, it doubles the amount of possible keys to search through to crack it by brute force. A 56bit key has 65536 times more possible keys than a 40bit key. A 128bit key has 309485009821345068724781056 times more possible keys than a 40bit key. Remember with a brute-force attack you have to check all the keys to see if it is the correct one so the more possible keys there are, the longer it will take and the more work is involved. You should not use either 40bit or 56bit SSL since both are not considered secure. You should use 128bit SSL instead. There is no reason to use 40 or 56bit SSL any more since web servers and web browsers that support 128bit SSL are easily found. Modules like mod_ssl for Apache support 128bit encryption algorithms using the openssl library and work great with PHP. If you only have the choice between 40bit SSL or 56bit SSL, then go for the 56bit version. Your traffic will not be securely protected but it is much more work to break DES than it is 40bit RC5 in SSL. Regards, Jeff. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
