[2358] in cryptography@c2.net mail archive
Weak Crypto and Y2K
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Wed Mar 25 10:05:38 1998
In-Reply-To: <2E54ADBA8A53D111904900A0C97278DFB2878B@exchange.epicsys.com>
Date: Wed, 25 Mar 1998 08:36:01 -0500
To: Nathan Spande <nathan@epicsys.com>,
"'perry@piermont.com'" <perry@piermont.com>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: "'cryptography@c2.net'" <cryptography@c2.net>
At 4:29 PM -0600 3/23/98, Nathan Spande wrote:
>>
> I have a recollection of reading that there have been no reports
>of credit-card fraud through a straight 40-bit SSL link. Probably from
>amazon.com, but I would believe that it wasn't true. Anyway, I guess
>the point is that even weak crypto is likely to cut down on most of
>this, given the significantly more difficult nature of decrypting an SSL
>session to get a single card number. Granted, once a tool for doing
>this becomes available, rates would rise. But we know two things about
>most criminals: stupid and lazy. Once it becomes difficult to slurp
>credit card numbers off the net, they are going to move on to easier
>targets. Even 56 bits makes it so much more difficult to get individual
>numbers that they are going to attack the storage mechanism. That is
>where the real difficulty has come in: keeping the databases safe. That
>isn't so much about cryptography as it is about good security
>administrators and system administrators. Granted: good strong crypto
>has a place in every authentication system.
>
I think there is a parallel between designing electronic commerce
infrastructure today that use weak cryptography (i.e. 40 or 56 bit keys)
and, say, designing air traffic control systems in the '60s using two
digit year fields. You know it will work well enough for now, but that it
will certainly be a problem in the future. Yes, there are other weak points
that will have to be addressed, but that is no excuse for employing
crippled technologies. Just because you can retire before it all blows up
doesn't make it any less irresponsible.
Arnold Reinhold
Got crypto? http://ciphersaber.gurus.com
