From: Bill Stewart <stewarts@ix.netcom.com>
To: Vin McLellan <vin@shore.net>
Message Hash: 912bf0be624903cb01daf292f4d59f574a70e6bacf54e4c3dab5f662c7691b30
Message ID: <3.0.1.32.19970207200944.005c0ac0@popd.ix.netcom.com>
Reply To: <199702071513.HAA24904@toad.com>
UTC Datetime: 1997-02-08 04:18:14 UTC
Raw Date: Fri, 7 Feb 1997 20:18:14 -0800 (PST)
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Fri, 7 Feb 1997 20:18:14 -0800 (PST)
To: Vin McLellan <vin@shore.net>
Subject: Re: 40-bit RC5 crack meaningless??
In-Reply-To: <199702071513.HAA24904@toad.com>
Message-ID: <3.0.1.32.19970207200944.005c0ac0@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 09:37 AM 2/7/97 -0500, Vin McLellan wrote:
> Now, an international institution which buys and bets the bank upon
>US-exportable (40-bit) cryptography probably deserves what it has bought:
> [...] even 56-bit keys -- whatever the algorithm! -- offer only "minimal"
security.
>(What Goldberg did in hours, many could do in a days or weeks with much
>less equipment.
You don't bet the bank on 40-bit crypto, unless you're, ummm, accepting
credit cards over wimp-configured sessions of SSL. (You, as merchant,
may not lose if there's a forgery, and your customer's loss may be limited
to $50,
but the bank's loss isn't limited except by how fast they can block thieves.)
While banks get Extra Slack on crypto exports, and can use 56-bit DES,
they've got more serious adversaries - building a $1M machine to win a $1000
contest is a bit expensive for the average grad student, but it's a
perfectly reasonable investment if you're planning to rob banks of
millions of dollars with it, especially if you think you can either
siphon the money off slowly while hitting a lot of banks or else
make a really big haul all at once.
Banks aren't the only kind of company with big money floating around;
stockbrokers, commodities traders, purchasing departments of big companies
that might not notice that they're buying a few percent more parts,
and all sorts of other large companies are targets for crypto-cracking
thieves.
Because well-funded thieves can do this kind of financial damage,
we have a legitimate-sounding spin on "Federal law enforcement's job includes
preventing large-scale theft, and they're letting their political agenda
get in the way of doing their job. Sure, 56-bit keys are harder to crack
than 40,
but well-funded crackers could use the same techniques Ian did."
Either method of theft requires being non-stupid enough not to get caught
afterwards
(like the $(24?)M computerized bank job last year), and having your
"partners"
not rip you off; a big heist also risks detection by tracking chip
purchases, and
provoking the Feds into banning "ASIC Laundering" and criminalizing
illegal possesion of field-programmable gate arrays and such paranoid
silliness.
..>> the same Strassmann
Yeah, him :-)
> (It was a usefully overheated hook for some article on compsec, but
>I don't think I ever used it. Reminded me too much of warnings that
>someone was bound to someday taint the city water reservoir with LSD;-)
But we _were_ planning to enhance the water that way, back in the 60s! :-)
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)
Return to February 1997
Return to “Vin McLellan <vin@shore.net>”