From: "baldwin" <baldwin@RSA.COM (Robert W. Baldwin)>
Date: Tue, 24 Oct 95 10:53:16 PDT
To: cypherpunks@toad.com
Subject: 80 bit security from 40 bit exportable products
Message-ID: <9509248145.AA814557096@snail.rsa.com>
MIME-Version: 1.0
Content-Type: text/plain


        Long ago vendors should have put encryption into network layer
products, but for a variety of reasons that effort was delayed or
discouraged.  One effect of this lack is that almost every layer of
the network stack is adding its own encryption.  For example, the
HTTP session layer added S-HTTP and the TCP transport layer added
SSL.  Soon we will have network layer encryption with IPsec.
        The vendors for each layer can export a product that uses
ciphers with 40 bit keys.  A user can then combine multiple
products to get more than 40 bits worth of security.  For example,
a web client might fetch an S-HTTP page over an SSL protected link
via a firewall that supports IPsec tunnels.  That's three 40 bit
keys protecting the data over the internet link (of course, this
may not be equivalent to a 120 bit cipher, that depends on the
details of the cipher systems and independence of the key setups).
Interesting possibilities.
                --Bob Baldwin