On Thu, Jul 27, 2000 at 09:14:11AM -0700, [EMAIL PROTECTED] wrote: > > A colleague asked yesterday "I wonder how much Diffie-Hellman is actually >used?", as we were sitting around talking about authentication (in particular) > and security (in general) protocols. > >So I'm curious, are there any studies on what is actually deployed "out there" > and/or available in products -- qualified as the set of algorithms discussed > in Chapters 19 and 22 of Applied Cryptography 2nd Ed? > > I suppose that a bunch of what's "out there" is under wraps and so data isn't > available, but commercial-off-the-shelf stuff generally touts what > algorithms/protocols it implements. I just completed a survey of deployed SSL server security, and one of the things I looked at is the support for the different ciphersuites. While SSL/TLS != all crypto, it's probably the most common protocol, so my results might give you some idea of how much DH and other algorithms are supported. I found that 38% of the servers in my study were insecure- they used weak 40-bit ciphersuites, 512-bit or smaller keys, self-signed certs or had an expired cert (or had more than one of these insecurities). That's pretty awful. http://www.lne.com/ericm/papers/ssl_servers.html The stats for ciphersuites supported is on the 'detailed results' page along with a list of the weak servers I found. There's also a form for checking the security of an SSL server. -- Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5 Security consulting: secure protocols, security reviews, standards, smartcards.
