From: Eric Young <eay@mincom.oz.au>
Date: Tue, 9 Apr 1996 14:49:27 +0800
To: JR Weaver <weaver@harry.bwi.wec.com>
Subject: Re: Bank transactions on Internet
In-Reply-To: <9604081642.ZM1632@harry.bwi.wec.com>
Message-ID: <Pine.SOL.3.91.960409104403.28771C-100000@orb>
MIME-Version: 1.0
Content-Type: text/plain


On Mon, 8 Apr 1996, JR Weaver wrote:
> with SFNB to purchase my own copy of 128-bit Netscape Navigator. You can make
> transactions over the net and SFNB does not limit you to 128-bit. Is it really
> that easy to break 40-bit? Don't you need access to a "fair amount of cpu
> power" to brute force crack 40bit? As far as I know client authentication is
Put put it in a word, 'yes'.

> strictly username & password. What other authentication system exists??
This would be a very good system to attack.

Last year during the 'break SSL export' saga, I was able to seach 2^39 of
the key space mostly using networked workstations that were 486DX50's and
sparc 20's.  This took 2 week and basically I ran for 12 hours each night
and no-one at work really knew I was doing this. Well I now have a pentium
100 and they are starting to appear all over the place, they run my code 3
times faster.  This now means that some-one like me, working in a large
software company, if it was fitted out with lots of pentiums would be able
to definitly get your username and password in less than 10 days with
basically no-one knowing that this had been done. Hell, I still have my
software sitting around, it is automated, it would only take me a
month, with no intervention from me until I get the email with the
results. 

Please remember that I'm not talking about theory.  Besides the person 
working next to me, no-one at work knew I was participating in the brute 
force beaking attempt.  Well this is not totally true, the owner of the SGI 
with 6 R4400 CPU's noticed that I was using a few of the CPU's but they 
did not know what the programs were doing :-).

I would say that RC4 40 should not be used if possible, especially to do 
with anything to do with banking.

eric (just putting in his own 2 certs worth).
--
Eric Young                  | Signature removed since it was generating
AARNet: eay@mincom.oz.au    | more followups than the message contents :-)