[872] in cryptography@c2.net mail archive
RE: DES cracking is making real progress
daemon@ATHENA.MIT.EDU (Peter Trei)
Wed May 21 14:11:55 1997
From: "Peter Trei" <trei@process.com>
To: Pat Farrell <pfarrell@netcom.com>,
"cryptography@c2.net" <cryptography@c2.net>
Date: Wed, 21 May 1997 09:32:14 -6
Reply-to: trei@process.com
CC: trei@c2.net
Pat Farrell of CyberCash, Inc.writes:
> At 12:00 PM 5/20/97 -0400, Nelson Minar wrote:
> >Is single DES still used to protect money transfers?
>
> Single DES, with real (random) session keys protected by RSA, is the
> heart of lots of Internet commerce, including the soon
> to be widely available and loved SET.
> Of course for the interesting protocols, cracking DES
> gives you one session key, which is often only one message.
> That may have some value, but you get to start all over
> with the next session.
> The American and UK bankers that I've talked to are quite
> comfortable with DES today. I don't know if breaking one
> key will change that.
> Pat
It's been said that all cryptography is economics. If the
cost to the attacker to crack a key is higher than the
profit that can be obtained by cracking it, the protocol
is safe.
If a given key is used for a single transaction, then the
value of the data in that single transaction must outweigh
the cost of the crack to be worth attacking. This is, as
you point out, frequently not the case.
However, there are many fielded applications of DES which
used stable fixed keys for long periods, and many transactions.
Eurocheque cards, for example, use the same key for thousands
of cards. Similarly, ATMs apparently use hardwired keys.
Special purpose DES-cracking hardware also skews the numbers
in the attackers favor. There is a substantial up-front
cost, but the marginal cost of breaking each key is very low.
Thus, the development cost can be amortized over the number
of keys broken by the machine.
Peter Trei
trei@process.com
