From: Andy Brown <asb@nexor.co.uk>
Date: Mon, 2 Oct 95 01:27:02 PDT
To: cypherpunks@toad.com
Subject: Re: VISA and Microsoft STT Specs available
In-Reply-To: <199509291902.MAA23808@ix8.ix.netcom.com>
Message-ID: <Pine.SOL.3.91.951002092117.12900A-100000@eagle.nexor.co.uk>
MIME-Version: 1.0
Content-Type: text/plain


On Fri, 29 Sep 1995, Bill Stewart wrote:

> Some cryptographic high points, from a brief scan.
> - 1024-bit RSA signatures, using PKCS#1 format.
> - SHA 160-bit hashes
> - Symmetric bulk crypto includes two options (I haven't yet seen
>   how you choose between them; I assume it's export/domestic?)
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   == RC4/64 with 24 bits of salt leaving 40 bits of real key
>   == DES-CBC - yes, that's single-DES.  IV=0.

From http://www.windows.microsoft.com/windows/ie/stt.htm:

  NOTE: this document covers the International version of the STT 
  protocol, which includes DES encryption of all financial data, direct 
  RSA encryption of bank card account numbers, and 40 bit RC4 encryption 
  of the purchasing order form contents and receipt.  A US/Canada version 
  of the protocol with triple-DES encryption of the order, receipt, and 
  all financial data and direct RSA encryption of bank card account 
  numbers will be documented and published in the near future.

So it looks like single DES is now OK for export, at least it seems to be 
in this case where its application is strictly limited to "financial data".


- Andy

+-------------------------------------------------------------------------+
| Andrew Brown  Internet <asb@nexor.co.uk>  Telephone +44 115 952 0585    |
| PGP (2048/9611055D): 69 AA EF 72 80 7A 63 3A  C0 1F 9F 66 64 02 4C 88   |
+-------------------------------------------------------------------------+