[920] in cryptography@c2.net mail archive
Re: DES cracking is making real progress
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Thu May 29 19:33:40 1997
To: Jyri Kaljundi <jk@stallion.ee>
cc: Phil Karn <karn@qualcomm.com>, frantz@netcom.com, cryptography@c2.net
Date: Thu, 29 May 1997 18:39:17 -0400
From: Steven Bellovin <smb@research.att.com>
On Thu, 29 May 1997, Phil Karn wrote:
> This is a *very* good point. I don't know Wells Fargo's system, but
I
> do use Bank of America's -- and this attack would definitely succeed
> there. On the other hand, their web banking service doesn't let you
> write arbitrary checks.
Here in Estonia the largest bank was using a system in their telebanki
ng
(both modem and Internet) service, where all the data between the clie
nt
and server was encrypted using IDEA 128-bit keys, that's strong, isn't
it.
The bad thing was that both ends were supposed to use the same session
encryption key, but the session key was never sent over the channel
according to the bank. That meant that both ends had someone know the
session key. The only thing that the bank user had to enter when begin
ning
the session was their 6-digit one-time password (actually even worse,
it
was number from 1 to 999999). So what they did was probably
IDEAkey=md5hash(password) so they got 128-bit key from 6-digit number
(should be 2^20 or so).
This can be done very securely, if used in conjunction with Diffie-Hellman.
See, for example, ftp://ftp.research.att.com/dist/smb/neke.ps. (Of
course, perhaps they weren't doing it that way...)
Briefly -- and read the paper for more details, and be aware that the
scheme is patented -- you use the 6-digit PIN to encrypt each half of
a Diffie-Hellman exchange. Among other properties, it's immune to
password-guessing attacks. (Some of the variants described in that
paper have since been attacked successfully, in the sense that they
don't provide as much protection as intended. There was a paper at
the 1997 Oakland symposium describing these results. But using
Diffie-Hellman and encrypting both sides is still safe, if the
probablistic padding isn't used.)
