IIS 4.0 with SGC will generate 1024-bit RSA key pairs, and only
512-bit key pairs without SGC...
It gets worse: MSIE 4.01 will verify signatures of CA certs with
2048-bit RSA sigs, but will only generate 512-bit RSA key pairs,
even with SGC, so although you get strong privacy you still get
weak client authentication.
-----Original Message-----
From: Dr Stephen Henson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Viernes 29 de Mayo de 1998 11:21
Subject: Re: [ssl-users] 128-bit on Microsoft IIS and export
>Matthew Skala wrote:
>>
>>
>> This is not so silly, because it helps prevent precalculation attacks.
If
>> "true" 40-bit encryption were used, an attacker could precalculate a
>> dictionary of some commonly-seen information encrypted with all 2^40
>> possible keys, and just look up intercepted packets. With 128-bit
>> encryption and 88 bits revealed, an attacker still has to do the work to
>> attack the 40-bit encryption EVERY time they want to attack it instead of
>> once and for all. That could mean the difference between routinely
>> intercepting everyone's traffic and only intercepting the traffic of
known
>> targets. If your threat model is something like "NSA violating people's
>> doing routine email searches of everyone", then "fake 40 bit" could be
>> significantly preferable to the "real 40 bit".
>>
>
>You are taking my comments out of context. My "silly" comment was with
>respect to the export laws, not with respect to the security involved.
>I was referring to ambiguity of using a 128 bit strong encyption
>algorithm for the purposes of weak encryption.
>
>The original query expressed surprise that a 40 bit export browser could
>suddenly become a 128 bit browser with SGC and that suddenly 128 bit
>algorithms were allowed to be exported. My comment referred to the fact
>that the 40 bit export approved browsers always used 128 bit algorithms.
>
>> Also, if you're in the "deploy and enjoy" camp, it could be seen as a
good
>> thing for SSL users to be distributing 128-bit algorithms, even if
they're
>> crippled down to 40 bits, rather than distributing true 40-bit
algorithms.
>> Having lots of copies of 128-bit code in the world would seem to be a
good
>> thing.
>>
>
>Except that 128 bit algorithms are just 40 bit algorithms called with
>different parameters at least as far as the most common are concerned.
>
>The "distributed" algorithms rarely have any exposed interface anyway
>due to the same export laws. CryptoAPI is one exception which has a
>partially usable 128 bit RC2 and RC4 algorithm: though you can't set
>arbitrary keys.
>
>As to having copies of 128 bit code in the world well the stuff is
>freely available in the "free world" anyway. Not to mention precise
>details of some algorithms distributed in RFCs. The export restrictions
>as usual assume that no one outside the US can program.
>
>As usual one tries to make sense of the US export regulations at ones
>peril :-)
>
>Steve.
>--
>Dr Stephen N. Henson.
>UK based freelance Cryptographic Consultant. For info see homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk/
>Email: [EMAIL PROTECTED]
>PGP key: via homepage.
>
>+-------------------------------------------------------------------------+
>| Administrative requests should be sent to [EMAIL PROTECTED] |
>| List service provided by Open Software Associates, http://www.osa.com/ |
>+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
