[540] in WWW Security List Archive
40 Bit Cryptography
daemon@ATHENA.MIT.EDU (Mark C. Davis ((919)254-7865))
Mon Mar 27 14:12:54 1995
Date: Mon, 27 Mar 95 07:56:09 EST
From: "Mark C. Davis ((919)254-7865)" <davismc@vnet.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
OK, I read the spec again, so here is how it works. Server
authentication is done by encrypting the challenge under the Server Send
Key. The strength of this key is limited by the algorithm in use, so
could be 40 bits. However, the reply containing the encrypted challenge
is the first use of this key on the network. Thus, I don't see any
opportunity to run any attack on this key(see below). Up until this point,
the pertinent 40 bits of key are protected by the full length of the server's
public key. Thus all an attacker could do is guess the 40 bit key (a not
very high probability attack). Unless I am missing some other attack,
my conclusion is that the authentication strength is equal to the length
of the server's public key. (albeit, 40 bits is an awfully short nonce.)
Two points on 40 bit cryptography:
1. I agree that it is not any good for financial transactions. A determined
attacker could too easily break it. And when money is involved (even
relatively small amounts) determined attackers will be around.
On the other hand, the existing WWW security protocols, SHTTP and SSL,
are not satisfactory for financial transactions either. Although
these WWW protocols do provide general security, there is no way
they can address all the issues of money and buying things. That
will require specialized protocols that tie the authorization to
the goods delivered and provide services like non-repudiation.
Such protocols can easily be designed to avoid U.S. and French
regulations, and thus avoid the 40 bit weaknesses.
2. 40 Bit cryptography does have some usefulness. A bit of perspective
is necessary here. A high quality safe suitable for storing
classified documents will resist surreptitious entry for about
15 minutes (open one up and read the label inside if you are
skeptical). However, such devices are not considered jokes and
are required by about every security auditing agency.
Also, consider the inequality of security stability:
cost of protection < value of protected material < cost of break in
A lower cost of breaking in (40 bit DES) means only that only
relative low value information may be protected. My companies
secrets will not fall into this low value category. My credit
card number (already known to thousands of waiters and clerks
throughout the world) might. My dinner arrangements with my
wife will definitely fall into this low value category.
