[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Re[2]: [cobalt-users] RaQ4 Equifax Certs
- Subject: RE: Re[2]: [cobalt-users] RaQ4 Equifax Certs
- From: "Rodolfo J. Paiz \(E-mail\)" <rpaiz@xxxxxxxxxxxxxx>
- Date: Mon Jan 22 20:44:04 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Even I didn't realize that Thawte's $125 certs weren't 128 bit. When
> I was talking with a rep about becoming a Thawte reseller, I had the
> impression that I would be able to purchase 128 bit certs for that
> price.
You are able to purchase 128-bit certs from Thawte for that price, sort
of; the difference is that they drop down to 40-bit or 56-bit when used
internationally. They are only 128-bit *inside* the USA. To some that's
a moot point; increasingly, to many of us and to millions of browsers
that's a big damn distinction.
> GW> Will this impact my ability to do credit-card processing?
> GW> The company I use just said I had to have SSL, they did
> not specify the quality.
>
> I shouldn't impact your ability per se. You'll still be
> encrypting the session, but only at 1/2 to 1/3 the strength
> of a 128 bit cert. If a security nut visits your site, they
> may frown upon the non 128 bit connection and go elsewhere.
Danger, Will Robinson, danger...
40-bit is *NOT* 1/3 the strength of 128-bit, just as 56-bit is *NOT*
around 1/2 the strength of 128-bit. I'm sure you know this, but let me
spell it out in case some lurker gets confused:
40-bit: 2^40 possible combinations (roughly 1.1 x 10^12)
56-bit: 2^56 possible combinations (roughly 7.2 x 10^16)
128-bit: 2^128 possible combinations (roughly 3.4 x 10^38)
So a 56-bit cert is 70,000 *times* more difficult to crack by brute
force than a 40-bit cert... it takes 70,000 times as much effort. And a
128-bit cert is 309,485,009,821,345,000,000,000,000 times more difficult
to crack than a 40-bit cert as well as 4,722,366,482,869,650,000,000
times more difficult to crack than a 56-bit cert.
There is a *large* difference between them, and as processing power
increases the probability that 40- or 56-bit certs get hacked increases
as well. It's still quite tiny, but it's growing. For example, some guys
at U.C. Berkeley (I think) put about $800K worth of workstations to work
and cracked a 40-bit key in about four hours. Expensive? Unlikely? Yes.
But scary nonetheless.
128-bit certs offer me the comfort that, at present levels of
technology, it would take someone with the horsepower of the *entire*
SETI@home project (about 50 TeraFLOPS right now) about
215,805,661,416,120 millennia to crack one. Next year may be different,
but for right now I'm happy.
--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>