[2601] in cryptography@c2.net mail archive
Re: safety of SSL 2?
daemon@ATHENA.MIT.EDU (Eric Young)
Tue Apr 28 22:08:48 1998
Date: Wed, 29 Apr 1998 11:11:53 +1000 (EST)
From: Eric Young <eay@cryptsoft.com>
Reply-To: Eric Young <eay@cryptsoft.com>
To: EKR <ekr@terisa.com>
cc: cryptography@c2.net
In-Reply-To: <3u37dlk4x.fsf@kmac.terisa.com>
On 28 Apr 1998, EKR wrote:
> In short, even in the common static RSA case, SSLv3 offers superior
> resistence to integrity attacks when exportable ciphers are used.
I definitly agree with this, SSLv3 goed give better integrity security but who
is doing 40bit real time decyryption yet?
My view of the world tends not to be about impersonation, rather the retireval
of sensitve information from the data streams. "Perfect Forward Secrecy" (to
use the correct term :-) is what concerns me. SSL is capable of providing it,
and TLS mandates ephemeral Diffie-Hellman ciphers that provide this, but none
of these are widly deployed. In theory, Ephemeral RSA could be used with most
of the RSA ciphers, but last time I tested, quite a few of the browsers were
not happy with this when used with non-export ciphers.
I've been involved in 2 SSL decryption excersises with SSLv2. One was the
brute for breaking of a 40 export cipher over 2 weeks (half the key space and
lots of computing power). The second was me being provided with about 20
packet logs and the RSA private key retrieved from the hard disk of a hackers
computer. 4 hours later, I could decrypt all the packet logs, and could
decrypt any more I was given in a few seconds. This 'attack' is still just as
viable for SSLv3 as it is currently deployed in most application. One could
argue that this is the case for hardware tokens etc, but with the forward
security provided by seperate authentication and temporary encryption keys, no
criminal or court will every be able to retrieve the data without using brute
force.
So from my point of view, the "Perfect Forward Secrecy" is more of an issue
that 40 bit keys :-).
eric (who wants more Ephermeral-DH capable browsers out there)
PS For those interested, this was over 2 years ago and was about the time
I added 'BIO' support into SSLeay so the SSL library could operate on
files just as easily as sockets. It is also why there are
seperate read and write IO descriptors in the library :-)
