[plug] StarOffice

Christian christian at amnet.net.au
Tue Jun 27 21:34:06 WST 2000


On Tue, Jun 27, 2000 at 05:03:56PM +0800, Darrell Horrocks wrote:
 
> ANZ uses a pretty standard 128 bit SSL implementation (fine under Linux) but
> <RANT> neglects to mention to the general user (under FAQ or elsewhere) that the
> standard international browser only supports 64 bit encryption.  Bloody fat lot
> of good the server is if you are limiting it with your client. </RANT>

As has been pointed out the (previous) key length limit imposed by US
ITAR regulations (the regulations have since been significantly relaxed)
was 40 bits.  64 bits would probably be sufficient for protecting the
banking details of an individual -- consider how many computers are
involved in the RC5-64 distributed.net challenge and how long that's
been going and how long and how long it's projected to continue; when
the cost of recovering the data protected by the key is greater than the
value of the data itself then, by definition, the data is secure.  Also,
I strongly suspect that the best way of breaking an online banking
system would be to attack weaker authentication systems and protocols
than trying to brute force even 40 bit SSL.  For example, the user is
probably authenticated by their account number (relatively easily
retrieved) and a small password/PIN.  In such a system the entropy
involved in the shared secret being exchanged is very likely less than
20 bits.  Since the SSL doesn't authenticate the user (only the bank)
this is the weak point in such a system.  In such a protocol only a fool
would try to brute force the SSL.  (This is somewhat speculative as I
haven't used anyone's online banking services so I don't know exactly
how it works.)

Also, I remember a discussion a fair while back on this list where
someone suggested that even "International" browsers could utilise 128
bit keys when connecting to sites such as banks.  For normal
transactions the limit might be 40-bits but ITAR made exceptions for
encryption technology to be used in connection with special financial
institutions.  Perhaps someone with a better memory (or who wants to
search the archives) can clarify this.

Regards,

Christian.



More information about the plug mailing list