[547] in WWW Security List Archive
Re: 40 bit encryption: Missing the point
daemon@ATHENA.MIT.EDU (Chuck Yerkes)
Mon Mar 27 20:16:26 1995
From: "Chuck Yerkes" <yerkes_chuck@jpmorgan.com>
Date: Mon, 27 Mar 1995 16:37:11 -0500
In-Reply-To: robert@cogsci.ed.ac.uk
"40 bit encryption: Missing the point" (Mar 27, 4:00pm)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> wcs@anchor.ho.att.com expresses worries that people with criminal intent
> who could fork out $1M would be able buy enough computing power to break
> 40-bit encryption schemes and get credit card numbers for $100.
>
> Now, if crooks are prepared to pay for credit card numbers (just the
> numbers, nothing else), surely they could get them for much less than $100
> by paying supermarket staff, waiters, garage attendants or travel agents to
> pass them on.
The problem is that a 40bit algorithm means that I can come close to
decrypting ONCE and using a large lookup table for the key.
It's not dissimiliar to the problems if my credit card was based on
my name (or other publicly available data). In order to do financial
transactions (be they credit card info, or giving out portfolio
information or whatever), we need a somewhat secure method to do this.
If it means that Netscape (or cern, or W3) makes their server
available with 40bit encryption, BUT WITH HOOKS so that I, as the
buyer, can EASILY replace it with my licensed RSA algorithms to be used
by RSA licensed clients, then I can work with it. Kerberos, PGP,
rot13, whatever could be put in by the end user. If it has only the
generic hooks and an API, US people could put in PGP (licensed).
The free world could, perhaps, find an PGP-like thing that they had,
but never got from a US vendor (although I'd never advocate it).
In the meantime, real business can't work over the net. We're not
just looking for simple credit card work but looking using the net to
send valuable information.
- People already pay large sums for data and research. WWW is an easy
distribution mechanism.
- People want to run scripts via WWW (look at MIT's DNS management
system).
Without authentication it won't work.
chuck yerkes
consultant
