[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL challenge -- broken !


From: [email protected] (Damien Doligez)
> This is to announce the solution of the SSL challenge posted by Hal
> Finney on July 17, 1995 (message-ID: <[email protected]>),
> also found at: <URL:http://www.portal.com/~hfinney/sslchal.html>

Although it is hardly necessary, I can confirm the accuracy of the
decryption found, and I extend my congratulations for this achievement!

Ironically, I understand that an independent effort coordinated by Adam
Back also discovered the key at approximately the same time.  In
addition, Eric Young had done a search starting at 8000000000 and
upwards; unfortunately the key value of 7ef0961fa6 was only about one
percent below his starting point.  Hopefully Adam will supply more

It will be interesting to see what the fallout is from this
accomplishment.  It should provide ammunition for the current effort by
Microsoft and other companies to try to persuade the government to allow
the export of full 56 bit DES.

Knowing the tendency of the media and the net to oversimplify, this will
probably come out as "SSL is broken" just as the RSA-129 result led to
"RSA is broken" stories.  This would not be as egregious an
oversimplification as in the RSA case, but in fairness it should be
recognized that SSL as a spec provides support for much stronger ciphers
than the intentionally weakened RC4-40 which was broken here, but
Netscape was constrained by the government to supply browsers with only
the weak encryption.

I am a little alarmed by the suggestion that this news could have some
marked impact on the Netscape stock price.  From our perspective this was
certainly an unsurprising result (not to take anything away from Damien
and others who worked on it).  It is a useful reminder that the things we
work on here can have profound consequences.

Hal Finney
[email protected]

Version: 2.6