On Mon, 8 Apr 1996, JR Weaver wrote:
with SFNB to purchase my own copy of 128-bit Netscape Navigator. You can make transactions over the net and SFNB does not limit you to 128-bit. Is it really that easy to break 40-bit? Don't you need access to a "fair amount of cpu power" to brute force crack 40bit? As far as I know client authentication is Put put it in a word, 'yes'.
strictly username & password. What other authentication system exists?? This would be a very good system to attack.
Last year during the 'break SSL export' saga, I was able to seach 2^39 of the key space mostly using networked workstations that were 486DX50's and sparc 20's. This took 2 week and basically I ran for 12 hours each night and no-one at work really knew I was doing this. Well I now have a pentium 100 and they are starting to appear all over the place, they run my code 3 times faster. This now means that some-one like me, working in a large software company, if it was fitted out with lots of pentiums would be able to definitly get your username and password in less than 10 days with basically no-one knowing that this had been done. Hell, I still have my software sitting around, it is automated, it would only take me a month, with no intervention from me until I get the email with the results. Please remember that I'm not talking about theory. Besides the person working next to me, no-one at work knew I was participating in the brute force beaking attempt. Well this is not totally true, the owner of the SGI with 6 R4400 CPU's noticed that I was using a few of the CPU's but they did not know what the programs were doing :-). I would say that RC4 40 should not be used if possible, especially to do with anything to do with banking. eric (just putting in his own 2 certs worth). -- Eric Young | Signature removed since it was generating AARNet: eay@mincom.oz.au | more followups than the message contents :-)