Has 128bit SSL been broken yet ?

I been reading to many conflicting accounts online. I like to know specificaly if 128 bit been broken i know its well known 56bit been broken. Also all this estimates that billions of years are needed to crack 128bit key. All those estimates dont seem to take into account the distributed computing potential.

Can someone point to most recent information.

apparently so?


most of the sites saying that it has never been broken are from encryption and security companies - hardly likely to say that it is not secure.

Yup…it’s been cracked. Certainly governments can do it and as scm1001 pointed out private parties have done so as well.

Any encryption scheme is crackable. The real issue is just how hard they are to crack. If you need to own a multimillion dollar supercomputer to crack some encryption scheme in your lifetime then your data is fairly secure with only a few governments or perhaps very large companies capable of doing it.

For the private individual(s) who have done this they used many computers running in a sort of parallel processing to get the equivalent use of a supercomputer. While doing such a thing is within the means of anyone semi-organized it is not a terribly secret way to go about hacking data. If you were attempting this method for nefarious purposes you are likely to be a relatively easy person to be fingered by the FBI or CIA or NSA.

Of course, you can set your home PC to work on the task of cracking SSL. If it’s the 128-bit variety you are hacking your computer will have to ‘merely’ work its way through roughly 3.4x10[sup]38[/sup] possibile combinations (that’s a REALLY big number). As fast as your computer may be today you aren’t likely to get your answer in your lifetime, your children’s lifetime and probably a few more generations to boot.

I seem to recall that a couple of college students found a weakness in the algorithm about 2 years ago and didn’t break it by brute force (therefore not requiring a supercomputer). I’ll find the reference and post it later today.

The RSA-RC4 algorithm which is used in SSL has been defeated as a result of poorly devised key generators, on insufficiently large keys. Here’s a paper from MIT that shows how the SSL Challenge was met. Here’s a short article about SSL keys.

Here is a list of various encyrption methods that have been compromised with links to information about how it was accomplished.

Evilhanz unfortunatly all the references you provide are the once i read over before my original post and i found them to be confilicting.

This paper from MIT is dated 1997 first of all and it does not at all make a claim that 128bit key been cracked. It does state that a 40bit SSL key been cracked and 56bit DES has also been cracked. Let me crlear i am interested in the 128bit public encryption (the once used for most creadit card transaction for ecommerce today).

Here is a quote from that paper
"Very recently (on January 13, 1998) RSA issued a second DES challenge, which only gives prizes for cracking efforts which beat the previous best time by at least 25%, with the prize amount increasing based on the improvement. Distributed.Net has created their first dual-purpose clients to allow simultaneous work on the DES Challenge II and the 64-bit RC5 challenge. Users choose which challenge to work toward (though Distributed.Net has stated DES as its current priority), and the client will automatically switch to the other when the first one ends. " How can they even make a reference to 1998 when the paper is dated Fall1997

I went to the RSA website http://www.rsasecurity.com and there is information about DES III challance but no information about 128bit key challange of any kind.

Next the list well the list links to the MIT paper. The list claims that SSL RC4 in its “strong” form (assuming strong stand for 128bit) has been cracked but then the MIT paper does not claim that. So i cant rely on this list.

Lastly and the most conflicting reference the article short article dated 1999 claims that 140bit RSA key has been broken in a RSA laboratoris challange. The article provides no references whatsoever. Is it talking about RSA security www.rsasecurity.com challanges? I found no such challenge mentioned on their website. I had not been able to find any other articles that confirm what this article says.

So anyone find out some concreate information ?