[2381] in cryptography@c2.net mail archive
RE: Weak Crypto and Y2K
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Fri Mar 27 09:06:59 1998
In-Reply-To: <2E54ADBA8A53D111904900A0C97278DFB287A4@exchange.epicsys.com>
Date: Fri, 27 Mar 1998 06:14:51 -0500
To: Nathan Spande <nathan@epicsys.com>,
"'Trei, Peter'" <ptrei@securitydynamics.com>,
"'perry@piermont.com'" <perry@piermont.com>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: "'cryptography@c2.net'" <cryptography@c2.net>
At 10:51 AM -0600 3/25/98, Nathan Spande wrote:
>Ok, I guess my point wasn't all that clear. I'm not advocating the use
>of 40-bit, or even 56-bit systems. My original point was that the
>argument of "strong encryption prevents crimes" is not a useful one.
>Even weak cryptography prevents crimes. Our definitions of "strong" and
>"weak" will change as time goes on, 56 being the high end of "weak" now,
>rather than the low end of "strong". We need to be careful in our
>arguments, as careful as we are in our implementations. A bug in
>testimony before Congress is much more difficult to fix, and could cause
>much more damage, than a bug in your RC4 implementation.
>
I certainly agree that we must be careful in our arguments, especilally
before Congress. But I do not agree with you about the utility of crime as
an argument for strong encryption. I believe that weak encryption and key
recovery are breading grounds for new kinds of crime. While many criminals
are stupid and lazy, some are not. If they can get at keys that protect
vast sums of money, they will figure out how to take advantage of that
situation.
If the Y2K analogy does not grab you, consider the use of social security
numbers and mothers' maden names as a weak form of authentication by credit
card companies. This has lead to a major new form of crime called "theft of
identity." Many authorites consider theft of identity to be the major
growth area in criminal activity today. This was totally predictable 30
years ago, but the argument was that the cost of a more secure system would
be greater than the losses expected from occasional fraud. Tell that to
someone whose credit identity has been stolen.
Arnold Reinhold
Got crypto? http://ciphersaber.gurus.com
