[Webappsec] weak ssl ciphers
tim-webappsec at sentinelchicken.org
Mon Apr 7 15:15:40 EDT 2008
On Mon, Apr 07, 2008 at 02:56:12PM -0400, Travis Altman wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this? i would like to have
> this documentation for recommendations on disabling weak ciphers.
I'm not sure how long this would take on a typical system nowadays.
Hopefully someone will chime in with some numbers.
A related question that I would like to bring up: Given that RC4 is
commonly available as a weak/export cipher, does anyone know how hard it
would be to attack RC4's weak IV issues to divulge a key more quickly?
Would it be possible to gather enough IVs quickly enough to make it
worth the effort instead of just brute forcing the key directly?
More information about the Webappsec