[911] in cryptography@c2.net mail archive
Re: DES cracking is making real progress
daemon@ATHENA.MIT.EDU (Phil Karn)
Thu May 29 12:56:09 1997
Date: Thu, 29 May 1997 00:55:07 -0700 (PDT)
From: Phil Karn <karn@qualcomm.com>
To: frantz@netcom.com
CC: cryptography@c2.net
In-reply-to: <v0300780eafa9a80868ed@[207.94.249.80]> (message from Bill Frantz
on Thu, 22 May 1997 00:39:39 -0700)
>I have not looked at Wells Fargo's web banking system, but if they use
>passwords to authenticate users, they have an interesting security hole.
>If they use the same password in 40 bit mode as in 128 bit mode, then a 40
>bit mode session can be cracked and a long-term secret, the password
>extracted. Then that password can be used in a 128 bit session to write
>arbitrary recipient checks.
This is a *very* good point. I don't know Wells Fargo's system, but I
do use Bank of America's -- and this attack would definitely succeed
there. On the other hand, their web banking service doesn't let you
write arbitrary checks.
Also, BofA's passwords are just 4 decimal digits. (I consider my home
banking account number to be essentially public, as it's a substring
of the account number on my Visa Check Card -- every gas station in
town has a copy of it by now). A 4-digit password is tiny by
offline-brute-force searching standards, but since you'd have to
conduct the search online there's some hope of their detecting it.
I do wish there was an option for certificate authentication instead
of passwords.
Phil
