[881] in cryptography@c2.net mail archive
Re: DES cracking is making real progress
daemon@ATHENA.MIT.EDU (Bill Frantz)
Thu May 22 12:20:17 1997
In-Reply-To: <m0wUNBY-000RuEC@laptop.ka9q.ampr.org>
Date: Thu, 22 May 1997 00:39:39 -0700
To: Phil Karn <karn@qualcomm.com>
From: Bill Frantz <frantz@netcom.com>
Cc: cryptography@c2.net
At 7:00 PM -0700 5/21/97, Phil Karn wrote:
>>The American and UK bankers that I've talked to are quite
>>comfortable with DES today. I don't know if breaking one
>>key will change that.
>
>Another data point: Wells Fargo (a major California-based bank) has a
>policy of not allowing the "international grade" web browsers to be
>used for online banking for the more sensitive functions like writing
>checks to arbitrary recipients.
>
>I don't know how they feel specifically about 56-bit DES, but clearly
>their threshold of pain is somewhere above 40 bits.
I have not looked at Wells Fargo's web banking system, but if they use
passwords to authenticate users, they have an interesting security hole.
If they use the same password in 40 bit mode as in 128 bit mode, then a 40
bit mode session can be cracked and a long-term secret, the password
extracted. Then that password can be used in a 128 bit session to write
arbitrary recipient checks.
-------------------------------------------------------------------------
Bill Frantz | The Internet was designed | Periwinkle -- Consulting
(408)356-8506 | to protect the free world | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA
