[1077] in cryptography@c2.net mail archive
Re: Thoughts on the next target.
daemon@ATHENA.MIT.EDU (ET)
Tue Jun 24 14:28:11 1997
From: "ET" <emergent@eval-apply.com>
To: <cryptography@c2.net>
Date: Tue, 24 Jun 1997 10:32:57 -0400
A somewhat popular police/public safety package encrypts over the
air transmissions with DES in ECB mode. In addition, there is no
session key, and the DES key is hardwired into the executable.
----
From: Marcus Leech <mleech@nortel.ca>
To: David P. Jablon <dpj@world.std.com>
Cc: cryptography@c2.net
Date: Monday, 23 June, 1997 22:42
Subject: Re: Thoughts on the next target.
>
> Any of several widely-used challenge/response password
> systems make attractive targets. A simple marriage
> of a dictionary cracker connected to a strategically-placed
> network sniffer, should produce an embarrasing flood of results.
>
Many of these systems (CryptoCard, etc) use DES in one mode or another,
and the ones that don't use DES use a proprietary hash function.
I think it's "splashier" to demonstrate weakness in widely publicized,
and widely used (in the used-in-more-than-one-application sense)
algorithms.
Brute-forcing the SecurID hash algorithm, for example would require
that someone violate their license agreement with Security Dynamics/RSA.
"Algorithm Thieves today showed that SecurID cards aren't as secure
as manufacture claims".
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M86, MS 238, CAR
Systems Security Architect Phone: (ESN) 393-9145 +1 613 763 9145
Systems Security Services Fax: (ESN) 395-1407 +1 613 765 1407
Nortel Technology mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------
