Fog Creek Software
Discussion Board




Verisign 40-bit and 128-bit certs

I don't know a lot about how SSL actually works, but what is the real difference between the Verisign 40-bit and 128-bit certificate?

If I go to a SSL site that uses the 40-bit, it still says it's encrypted at 128-bits if you go to the certificate information.

Is there any difference other than the price? Also, is the certificate really something like 1024 bits, and the 40 and 128 bit certificates somehow set the "session key?" I don't really know what that means, but that's the best I came up with so far.

Bob
Tuesday, January 20, 2004

There are various algorithms:
1. symmetrical algo, such as DES
2. unsym using private key and public key

Usually, for the internet transaction the usage of "private and public key" is more convinient for a reason. Therefore most of them belong to this category. The algorithm is very simple, that is multiplying two LARGE prime numbers. For the detail, please refer to any security textbooks. We need the key to be as large as possible, 1024 bits, 2048 bits, etc.

I guess the 40-bit refers to the DES algoruthm

Richard Sunarto
Tuesday, January 20, 2004


Forget to add,

"Verisign" acts as the intermediate party to bridge the trust between two transacting parties. Both parties must "trust" verisign to do the business. Therefore, we also need the key to identify verisign. Usually, it is embedded inside the browser before shipped to the consumer.

The name of the algorithm is RSA (abb. from the name of the 3 creators).

Richard Sunarto
Tuesday, January 20, 2004

If the 40-bits refers to the DES algorithm, does that mean paying $800 for their 128-bit certificate would provide stronger encryption?

Bob
Tuesday, January 20, 2004

Verisign has always misadvertised their certificates this way.  Here is the gist of it from their FAQ:

Secure Site Pro and Commerce Site Pro Services include 128-bit Global Server IDs, which enable 128-bit SSL encryption - the world's strongest - with both domestic and export versions of Microsoft® and Netscape® browsers. (Most people in the U.S. use export-version browsers).

Secure Site and Commerce Site Services include 40-bit SSL Certificates, which enable 40-bit SSL when communicating with export-version Netscape and Microsoft Internet Explorer browsers, and 128-bit SSL encryption when communicating with domestic-version Microsoft and Netscape browsers.

Another key difference between 128-bit Global Server IDs and 40-bit SSL Certificates is the number of server platforms that support them. Global Server IDs are supported by many major platforms, while SSL Certificates are supported by a much longer, more comprehensive list of platforms.

Contrary to what they claim I believe most people in the US use domestic-version browsers.  Every place I have ever worked for that has bought a certificate from them has bought the 40-bit certificate.  We never had any problem with browsers not being able to do 128-bit.

Anonymous
Tuesday, January 20, 2004

Now I'm even more confused!

Bob
Tuesday, January 20, 2004

Richard

DES is a 64 bit algorithm (in fact 56 since one octet remains unused). There is no 40 bit version I know of, but there is a Triple-DES implementation.

coresi
Tuesday, January 20, 2004

Extremely simplified:

When using a 40-bit server certificate, you may well wind up with a session encrypted using a 128-bit key that was negotiated under encryption provided by the original 40-bit key.

The 40-bit key is the weak link, and if someone manages to crack that encryption, he/she/it/they could theoretically capture the 128-bit key, and therefore unencrypt the rest of the traffic.

Mind you, none of this is anywhere near trivial.

Greg Hurlman
Tuesday, January 20, 2004

OK, I'm wrong about it. :) long time ago.

To clarify is it 40-bit and 128-bit keys are for client's session? while the 1024-bits/etc are for CA (Certificate Authority) such as Verisign?

Thanks

Richard Sunarto
Wednesday, January 21, 2004

some of the differences in 'number of platforms supported' comes from old (or possibly current in some countries) export regulations. i forget the details, but basically one of the encryption steps uses a 'smaller' key, thus making it easier to crack.

also, you can get the cert from a CA other than Verisign, and that's probably a good idea. but i'm not quite sure who's out there right now.

mb
Wednesday, January 21, 2004

"To clarify is it 40-bit and 128-bit keys are for client's session? while the 1024-bits/etc are for CA (Certificate Authority) such as Verisign"

Yes -- the client gets the site's cert which is basically their public key (512/1024 bits etc) plus some identifying info such as the site's DNS name (as the "cn" field in the cert) which is digitally signed by the cert authority. The browser already has the public keys of the major cert authorities so can verify the cert's signature (which was created by the cert authority's private key). Once this is done, it verifies that the cn == current DNS name, it hasn't expired, etc - then the client comes up with the 40/128 bit session key - which it can securely transmit back to the site using the site's public key (only the site can decrypt this session key as only they have the corresponding private key to the public key). Then you can continue using a symmetric algorithm like DES using that 40/128 bit key.

Duncan Smart
Wednesday, January 21, 2004

>>"you can get the cert from a CA other than Verisign, and that's probably a good idea. but i'm not quite sure who's out there right now. "

In IE - go to Tools > Internet Options > Content > Certificates and consider anyone who's got their certification authority certificates installed into "Trusted Root Certification Authorities". Bear in mind that Thawte (and probably others) have been bought by Verisign...

Anyone can be a certification authority (a Cert Server has been shipping with Windows since NT4 Option Pack) - but fewer people can get their certification authority certificates installed on many of the desktops out there.

Duncan Smart
Wednesday, January 21, 2004

*  Recent Topics

*  Fog Creek Home