[gnutls-dev]Re: weak cryptography

Nikos Mavroyanopoulos nmav@gnutls.org
Fri Jul 12 06:25:02 2002 

On Wed, Jul 10, 2002 at 11:33:04AM -0000, phr-2002@nightsong.com wrote:

>     > A GNU TLS-based web server
>     > without weak cryptography support wouldn't be able to communicate
>     > securely with these browsers.
>     You seem to make an assumption that is not correct. You assume that
>     the 40 bit restricted browsers, offer some security. 
>     Actually they do not offer any security at all.
> I don't agree with this.  40 bit browsers offer some security, enough
> for some applications but not for others.

Having seen this mail and Petr's I see that you've got some point.

I should point out however that enabling the so called export-grade
ciphers, has an impact to the security of all the ciphersuites.

There is a known weakness in the TLS handshake protocol that
in brief, makes all the cipher suites vulnerable to a man in the
middle attack if the export-grade ciphersuites can be broken fast enough
(before the TCP/IP connection expires).

This attack is known to the TLS WG.

>     It is trivial to crack 40 bit protected communications by brute
>     force.
> It's not trivial and that's easy to prove: if I send you 1000 messages
> encrypted with 32-bit encryption and offer to pay you 0.10 US dollars
> for each message you can read, you might take the trouble to set up a
> few workstations and make an easy 100 USD (it takes about one hour to
> crack each key on a PC, so you'd let your network run for a few days).
> But with 40-bit encryption, it takes weeks to crack each one and you
> probably won't bother.  "Too much work to bother", by definition, is
> non-trivial.

I don't agree with these timings, and there is no point in arguing about
this, since the time needed is reduced every year.


> Finally, this discussion has mostly been about 40 bits, but for a
> brief period some exportable browsers and servers supported 56 bit
> ciphers.  I don't know if GNUTLS considers those "weak".  In practice,
> they are breakable, but only with great difficulty, requiring special
> hardware and/or very large distributed PC networks.
Well the special hardware can be easily accessed. Consider the cards
that are supposed to offer TLS in hardware.


Anyway, I'll think about this. 


-- 
Nikos Mavroyanopoulos
mailto:nmav@gnutls.org