[561] in WWW Security List Archive
Re: 40 bit encryption: Missing the point
daemon@ATHENA.MIT.EDU (Mike Muuss)
Thu Mar 30 22:04:48 1995
Date: Thu, 30 Mar 95 17:15:59 EST
From: Mike Muuss <mike@arl.mil>
To: Kenneth Rowe <kerowe@cs.umbc.edu>
cc: www-security@ns1.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> If you dynamically generate a shared session key for a DES type system
> and you only need to protect the information for a small period of time,
> then do you need a gold-plated solution that protects the information
> for a multitude of years?
A good point, and well taken. However, the discussion here has revolved
around protection of credit card numbers and financial account
information. Those are both items with lasting significance (months,
perhaps years of high value) and which, in my opinion, need
"gold-plated" protection.
As a personal policy, I treat my financial instruments (almost) as
carefully as I handle classified information. Not everyone is as
obsessive/compulsive as I am about protecting their money, but then not
everyone has to live on a Government salary, either. :-)
> And if the algorithms are good but the key management is poor, what have
> you gained?
Nothing. Key management is equally important as the strength of the
ciphers.
But if an implementation starts out with a foolishly weak cipher, and
the there isn't an obvious way to upgrade the "future legacy" E-commerce
software that we are creating _right now_, things could be grim.
Best,
-Mike
