Q: How secure is the encryption used by
SSL?
A: It would take significantly longer than the age of the
universe to crack a 128-bit key.
SSL uses public-key encryption to exchange a
session key between the client and server; this session key is used to encrypt
the http transaction (both request and response). Each transaction uses a
different session key so that even if someone did manage to decrypt a
transaction, that would not mean that they would have found the server's secret
key; if they wanted to decrypt another transaction, they'd need to spend as much
time and effort on the second transaction as they did on the first. Of course,
they would have first have to have figured out some method of intercepting the
transaction data in the first place, which is in itself extremely difficult. It
would be significantly easier to tap your phone, or to intercept your mail to
acquire your credit card number than to somehow intercept and decode Internet
Data.
Servers and browsers do encryption ranging from a
40-bit secret key to a 128-bit secret key, that is to say '2 to the 40th power'
or '2 to the 128th power'. Many people have heard that 40-bit is insecure and
that you need 128-bit to keep your credit card info safe. They feel that using
a 40-bit key is insecure because it's vulnerable to a "brute force" attack
(basically trying each of the 2^40 possible keys until you find the one that
decrypts the message). This was in fact demonstrated when a French researcher
used a network of fast workstations to crack a 40-bit encrypted message in a
little over a week. Of course, even this 'vulnerability' is not really
applicable to applications like an online credit card transaction, since the
transaction is completed in a few moments. If a network of fast computers takes
a week to crack a 40-bit key, you'd be completed your transaction and long gone
before the hacker even got started.
Of course, using a 128-bit key eliminates any
problem at all because there are 2^128 instead of 2^40 possible keys. Using the
same method (a networked of fast workstations) to crack a message encrypted with
such a key would take significantly longer than the age of the universe using
conventional technology. Remember that 128-bit is not just 'three times' as
powerful as 40-bit encryption. 2^128 is 'two times two, times two, times
two...' with 128 two's. That is two, doubled on itself 128 times. 2^40 is
already a HUGE number, about a trillion (that's a million, million!). Therefor
2^128 is that number (a trillion), doubled over and over on itself another 88
times. Again, it would take significantly longer than the age of
the universe to crack a 128-bit key.
|
Key Size |
|
Possible Key Combinations |
| 2-bit |
2^2 |
2x2 |
= 4 |
| 3-bit |
2^3 |
2x2x2 |
= 8 |
| 4-bit |
2^4 |
2x2x2x2 |
= 16 |
| 5-bit |
2^5 |
2x2x2x2x2 |
= 32 |
| 6-bit |
2^6 |
2x2x2x2x2x2 |
= 64 |
| 7-bit |
2^7 |
2x2x2x2x2x2x2 |
= 128 |
| 8-bit |
2^8 |
2x2x2x2x2x2x2x2 |
= 256 |
| 9-bit |
2^9 |
2x2x2x2x2x2x2x2x2 |
= 512 |
| 10-bit |
2^10 |
2x2x2x2x2x2x2x2x2x2 |
= 1024 |
| 11-bit |
2^11 |
2x2x2x2x2x2x2x2x2x2... |
= 2048 |
| 12-bit |
2^12 |
2x2x2x2x2x2x2x2x2x2... |
= 4096 |
| 16-bit |
2^16 |
2x2x2x2x2x2x2x2x2x2... |
= 65536 |
| 24-bit |
2^24 |
2x2x2x2x2x2x2x2x2x2... |
= 16.7 million |
| 30-bit |
2^30 |
2x2x2x2x2x2x2x2x2x2... |
= 1 billion (1,073,741,800) |
| 40-bit |
2^40 |
2x2x2x2x2x2x2x2x2x2... |
= 1 trillion (1,097,728,000,000) |
| 56-bit |
2^56 |
2x2x2x2x2x2x2x2x2x2.... |
= 72 thousand quadrillion
(71,892,000,000,000,000) |
| 128-bit |
2^128 |
2 multiplied by 2
128 times over. |
=
339,000,000,000,000,000,000,000,000,000,000,000
(give or take a couple trillion...) |
Doing the math, you can see that using the same
method that was used to break 40-bit encryption in a week, it would take about
72 million weeks (about 1.4 million years) to even break '56-bit medium'
encryption and significantly longer than the age of the universe to
crack a 128-bit key. Of course the argument is that computers will
keep getting faster, about doubling in power every 18 months. That is true, but
even when computers are a million times faster than they are now (about 20 years
from now if they double in speed every year), it would then still take about 6
thousand, trillion years, which is about a million times longer than the Earth
has been around. Plus, simply upgrading to 129-bit encryption would take twice
as long, and 130-bit would take twice as long again. As you can see, it's far
easier for the encryption to keep well ahead of the technology in this case.
Simply put, 128-bit encryption is totally secure.
Q: How do I know if encryption is enabled
or not?
A: Your Browser (Netscape or Internet Explorer) will tell you.
In Netscape versions 3.X and earlier you can tell
what kind of encryption is in use for a particular document by looking at the
"document" information" screen accessible from the file menu. The little key in
the lower left-hand corner of the Netscape window also indicates this
information. A solid key with three teeth means 128-bit encryption, a solid key
with two teeth means 40-bit encryption, and a broken key means no encryption.
Even if your browser supports 128-bit encryption, it may use 40-bit encryption
when talking to other servers or to servers outside the U.S. and Canada. In
Netscape versions 4.X and higher, click on the "Security" button to determine
whether the current page is encrypted, and, if so, what level of encryption is
in use.
In Microsoft Internet Explorer 6.X and earlier, a
solid padlock will appear on the bottom right of the screen when encryption is
in use. To determine whether 40-bit or 128-bit encryption is in effect, open the
document information page using File->Properties. This will
indicate whether "weak" or "strong" encryption is in use. In Microsoft Internet
Explorer 7.0 the lock appears at the end of the address bar when on a secure
page and no lock will appear when on an unsecured page. You can click on the
lock itself to view certificate information. IE 7 also offers additional
features such as color coding of the address bar to help determine if a site is
safe and secure.
Q: What about warnings or errors about the
Secure Certificate?
A: Your personal Security settings will determine what warnings
you see.
Depending on how your security settings are setup
in your Browser, you may also see information about our Certificate when you
enter the secure directories. This information will usually include the Dates
that the Certificate is valid for, the site name that the Certificate has been
issued to, and the Certificate Authority (or 'CA') that issued the Certificate.
The most common warning is that you have not
previously chosen to Trust the authority. This is a normal warning if you
haven't already purchased anything online from a Merchant who's certificate was
issued by a Certificate Authority that you haven't told your browser to trust
from now on. Of course, you may well have no errors, warnings or information
screens at all - again, largely depending on the way you've got your security
settings set in your Browser.
In any case, the encryption level and the security
is the same whether you've got your settings low (don't warn me about anything)
or very high (warn and inform me about everything). Either way, your data is
still encrypted and still secure.
Q: What happens when the Credit Card is
actually processed.
A: The transaction is totally secure.
At Samurai Swords 4 U, the security of your
personal information is paramount.
All Credit Card Transactions are completed using a 128 Bit SSL Encrypted
Secure Transaction. As we transmit the information to the Bank's
Secure SSL Server, they require a 128-bit transaction and will not process a
transaction without one. Even though 40 or 56 Bit transactions are very secure,
our Bank's insistence on 128 Bit SSL means that there is never any chance of
your information every being intercepted or decoded. Again, your security is of
paramount importance for us.