1998-09-20 - Re: Questions for Magaziner?

Header Data

From: “Arnold G. Reinhold” <reinhold@world.std.com>
To: dcsb@ai.mit.edu
Message Hash: 9f5dae3dead0b661641fbf324d6f738b04eed5c8ea494291c59efc5c9247d26d
Message ID: <v03130301b22abea15c89@[24.128.118.53]>
Reply To: N/A
UTC Datetime: 1998-09-20 06:15:03 UTC
Raw Date: Sun, 20 Sep 1998 14:15:03 +0800

Raw message

From: "Arnold G. Reinhold" <reinhold@world.std.com>
Date: Sun, 20 Sep 1998 14:15:03 +0800
To: dcsb@ai.mit.edu
Subject: Re: Questions for Magaziner?
Message-ID: <v03130301b22abea15c89@[24.128.118.53]>
MIME-Version: 1.0
Content-Type: text/plain



>> Arnold G. Reinhold wrote:
>>
>> One question I'd like asked is whether the US Gov will approve 56-bit RC-4
>> for export on the same terms as 56-bit DES. That would allow export
>> versions of web browsers to be upgraded painlessly, making international
>> e-commerce 64 thousand times more secure than existing 40-bit browsers.
>> (56-bit DES browsers would require every merchant to upgrade their SSL
>> servers and introduce a lot of unneeded complexity.)
>
>Actually, it wouldn't be any easier to deploy 56-bit RC4 than DES.  Either
>would require roughly the same changes to both clients and servers.
>

I was under the impression that 40-bit RC4 was accomplished by revealing 88
bits of the 128-bit key in a header. If a new 56-bit-RC4 browser was
implimented by setting16 of those 88 bits to zero, would any existing
server know the difference? If not, you would get an immediate improvement
in security, at least for browser to server messages, without waiting for
the servers to be upgraded.

No doubt I am missing something, but what?

Arnold






Thread