[4999] in cryptography@c2.net mail archive
Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)
daemon@ATHENA.MIT.EDU (Eivind Eklund)
Sat Jun 26 16:28:19 1999
Date: Sat, 26 Jun 1999 01:54:53 +0200
From: Eivind Eklund <eivind@FreeBSD.org>
To: Tom Weinstein <tomw@geocast.com>
Cc: "William H. Geiger III" <whgiii@openpgp.net>,
Ben Laurie <ben@algroup.co.uk>, Adam Back <aba@dcs.ex.ac.uk>,
rah@shipwright.com, dcsb@ai.mit.edu, cryptography@c2.net,
cypherpunks@cyberpass.net, jis@mit.edu, mleech@nortel.ca
In-Reply-To: <3773E7CE.D5CDB293@geocast.com>; from Tom Weinstein on Fri, Jun 25, 1999 at 01:34:22PM -0700
On Fri, Jun 25, 1999 at 01:34:22PM -0700, Tom Weinstein wrote:
> I think your view only makes sense if you are only interested in
> protecting yourself against entities who have $100,000 (or $50,000,
> or whatever) to build a DES cracking machine. If, on the other
> hand, you're also worried about 12 year old kids who pass around
> lists of credit card numbers, then exportable crypto is useful to
> you. While the first group may be more scary to you, most people
> only care about the second group. Which is not to say that you're
> wrong about your priorities, but other people, rightly or wrongly,
> have different ones.
I did some calculations on this. When I tracked the cracker scene
back in 1992 or so, an account collector would typically have accounts
on 1000 to 2000 different systems, sustained. I would be surprised if
the kiddies of today have much less. This is a large enough number of
systems to make attacking 40-bit encryption *very* feasible. For a
relatively small site taking credit card orders, it is enough to make
it feasible to attack *all* transactions.
Not that I would worry overmuch about it - it is also trivial to
calculate the check digits on a credit card, and most of them are
given out in series. It is also trivial to get hold of the exiry date
- just call up a credit card charger the 24 required times, keying in
the next two years worth of expiry dates and a small charge.
Eivind.
