Re: 40-bit VS 128-bit Encryption

From: phil baskers <phil(at)baskerville.cjb.net>
Date: Sun Jun 22 2003 - 11:30:23 EDT

Morning,

I am not fully up to date with US law but I believe that it is illegal to "export" encryption stronger than 56 bits from the US with the inclusion of a backdoor "for law enforcement". If no backdoor, the limit is 40 bits. These figures are old and I cannot guarantee that they are up to date but can imagine the law would have been changed since 9-11.

Basically, whatever encryption level you set for the website, it will not make much difference for the strength of the encryption. Chances are that if someone wants to break in they will but encryption may slow someone down enough so that they loose interest.

As pointed out previously, there are many aspects in dealing with a web presence security. Usernames and passwords encryption should not be an end-all. Regular backups, physical security, server integrity, etc...

I am an information science student and my security lecturer's words sum it up. "It may be secure today, but who knows about tomorrow, just back it up tonight"

cheers,

Phil

Student
Otago
New Zealand

If interested more in encryption law...

http://www.banned-books.com/truth-seeker/1994archive/121_3/ts213c.html Agents from the U.S. Customs Service visited Zimmerman in February 1993 to ask him about the "export" of PGP. Under the current interpretation of the International Traffic in Arms Regulations, cryptographic software like PGP is classified as "munitions" and cannot be legally exported without permission from the federal government. "The mere posting of encryption software is tantamount to exporting it," explains Danny Weitzner of the Electronic Frontier Foundation.

http://www.lawnotes.com/encrypt.htm
The export and reexport of 56-bit key length DES or equivalent strength encryption items is now permitted under the authority of a special License Exception - if the exporter makes satisfactory commitments to build and/or market recoverable encryption items (i.e., "back door" capability for law enforcement)

• Original Message ----- From: "Paul Benedek" <paul.benedek@excis.co.uk> To: "'Stephen Bock'" <sbock@smchcn.net>; <security-basics@securityfocus.com> Sent: Saturday, June 21, 2003 7:50 AM Subject: RE: 40-bit VS 128-bit Encryption

Hello Stephen,

40 Bit encryption has been broken, however it is unlikely that the average hacker has the capabilities to decrypt 40 bit traffic. If your data is not highly sensitive, then 40 bit encryption may suffice.

Encryption alone will not protect you however, if you are sending passwords and usernames make sure that they are strong passwords and are changed regularly as well and that you have an enforceable security policy that ensures this.

Regards,

Paul Benedek
Director
Excis Networks Limited
http://www.excis.co.uk

-----Original Message-----
From: Stephen Bock [mailto:sbock@smchcn.net] Sent: 19 June 2003 18:22
To: security-basics@securityfocus.com
Subject: 40-bit VS 128-bit Encryption

I am setting up a secure website and i was wondering which would be better to use, 40-bit or 128-bit? Obviously, 128-bit would be stronger and not easily crackable, but it is also more expensive. Does anybody know if 40 or 128-bit has been cracked yet? I'm not going to be transmitting any credit card info over the net, but i will be sending username, password, etc. What are your thoughts?

---

Stephen Bock
Information Technology/Webmaster
Samaritan Ministries International

---

Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.      

Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance.           

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

---

Received on Mon Jun 23 12:55:17 2003