[gnutls-dev]Re: weak cryptography

Nikos Mavroyanopoulos nmav at gnutls.org
Fri Jul 12 06:25:02 CEST 2002

On Wed, Jul 10, 2002 at 11:33:04AM -0000, phr-2002 at nightsong.com wrote:

>     > A GNU TLS-based web server
>     > without weak cryptography support wouldn't be able to communicate
>     > securely with these browsers.
>     You seem to make an assumption that is not correct. You assume that
>     the 40 bit restricted browsers, offer some security. 
>     Actually they do not offer any security at all.
> I don't agree with this.  40 bit browsers offer some security, enough
> for some applications but not for others.

Having seen this mail and Petr's I see that you've got some point.

I should point out however that enabling the so called export-grade
ciphers, has an impact to the security of all the ciphersuites.

There is a known weakness in the TLS handshake protocol that
in brief, makes all the cipher suites vulnerable to a man in the
middle attack if the export-grade ciphersuites can be broken fast enough
(before the TCP/IP connection expires).

This attack is known to the TLS WG.

>     It is trivial to crack 40 bit protected communications by brute
>     force.
> It's not trivial and that's easy to prove: if I send you 1000 messages
> encrypted with 32-bit encryption and offer to pay you 0.10 US dollars
> for each message you can read, you might take the trouble to set up a
> few workstations and make an easy 100 USD (it takes about one hour to
> crack each key on a PC, so you'd let your network run for a few days).
> But with 40-bit encryption, it takes weeks to crack each one and you
> probably won't bother.  "Too much work to bother", by definition, is
> non-trivial.

I don't agree with these timings, and there is no point in arguing about
this, since the time needed is reduced every year.

> Finally, this discussion has mostly been about 40 bits, but for a
> brief period some exportable browsers and servers supported 56 bit
> ciphers.  I don't know if GNUTLS considers those "weak".  In practice,
> they are breakable, but only with great difficulty, requiring special
> hardware and/or very large distributed PC networks.
Well the special hardware can be easily accessed. Consider the cards
that are supposed to offer TLS in hardware.

Anyway, I'll think about this. 

Nikos Mavroyanopoulos
mailto:nmav at gnutls.org

More information about the Gnutls-devel mailing list