[912] in cryptography@c2.net mail archive
Re: DES cracking is making real progress
daemon@ATHENA.MIT.EDU (Bill Frantz)
Thu May 29 13:17:30 1997
In-Reply-To: <199705290755.AAA26405@servo.qualcomm.com>
Date: Thu, 29 May 1997 09:05:20 -0700
To: Phil Karn <karn@qualcomm.com>
From: Bill Frantz <frantz@netcom.com>
Cc: cryptography@c2.net
At 12:55 AM -0700 5/29/97, Phil Karn wrote:
>>I have not looked at Wells Fargo's web banking system, but if they use
>>passwords to authenticate users, they have an interesting security hole.
>>If they use the same password in 40 bit mode as in 128 bit mode, then a 40
>>bit mode session can be cracked and a long-term secret, the password
>>extracted. Then that password can be used in a 128 bit session to write
>>arbitrary recipient checks.
>
>...
>
>I do wish there was an option for certificate authentication instead
>of passwords.
I recommended to one client, who was about to walk into this trap, that
they use SSLv3 two-way authentication.
-------------------------------------------------------------------------
Bill Frantz | The Internet was designed | Periwinkle -- Consulting
(408)356-8506 | to protect the free world | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments. | Los Gatos, CA 95032, USA
