[1081] in cryptography@c2.net mail archive
Re: Thoughts on the next target.
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Tue Jun 24 19:58:11 1997
To: "David P. Jablon" <dpj@world.std.com>
Cc: "Marcus Leech" <mleech@nortel.ca>, cryptography@c2.net
From: Marc Horowitz <marc@cygnus.com>
Date: 24 Jun 1997 19:00:35 -0400
In-Reply-To: "David P. Jablon"'s message of Tue, 24 Jun 1997 16:03:07 -0400
"David P. Jablon" <dpj@world.std.com> writes:
>> I wrote:
>> >> Any of several widely-used challenge/response password
>> >> systems make attractive targets.
>> You replied:
>> >Many of these systems (CryptoCard, etc) use DES in one mode or another,
>> > and the ones that don't use DES use a proprietary hash function.
>>
>> Even if triple-DES or SHA1, if it's used inappropriately, say
>> for ordinary challenge/response authentication of a password,
>> then the method is weak.
Ok, so you find such a weak system, and break it. What then? Getting
vendors to use proper techniques when designing cryptographic systems
is worthwhile, but I'm far more worried about the government than by
the vendors. I can find out which vendor has their figurative head
screwed on right, and buy from them, or if necessary, write good code
myself. I can recommend the same to my customers.
I don't have the freedom to pick and choose what laws I will follow.
(For those who would make the argument, civil disobedience is not
freedom.) Once we get the freedom to use crypto correctly, it will be
much easier to get the vendors to follow suit.
Marc
