From: Robert Hettinga <rah@shipwright.com>
To: cypherpunks@toad.com
Message Hash: 380f101ebd54a96bcd2a456d905d96c68c09894d35b631c03c69fa4b0a679180
Message ID: <v0302091faf72b28c4bf2@[139.167.130.246]>
Reply To: N/A
UTC Datetime: 1997-04-10 15:09:35 UTC
Raw Date: Thu, 10 Apr 1997 08:09:35 -0700 (PDT)
From: Robert Hettinga <rah@shipwright.com>
Date: Thu, 10 Apr 1997 08:09:35 -0700 (PDT)
To: cypherpunks@toad.com
Subject: Internet security code said vulnerable to hackers
Message-ID: <v0302091faf72b28c4bf2@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain
--- begin forwarded text
Sender: e$@thumper.vmeng.com
Reply-To: "Joseph M. Reagle Jr." <reagle@rpcp.mit.edu>
Mime-Version: 1.0
Precedence: Bulk
Date: Thu, 10 Apr 1997 09:47:06 -0400
From: "Joseph M. Reagle Jr." <reagle@rpcp.mit.edu>
To: Multiple recipients of <e$@thumper.vmeng.com>
Subject: Internet security code said vulnerable to hackers
This is one screwed up story. I don't know what they are actually trying to
say, but the guy from MasterCard isn't helping. (I stick my two derisive
comments into the story. <smile>)
Forwarded Text ----
ATLANTA, April 9 (Reuter) - The new security protocol for
safeguarding credit-card transactions on the Internet may have
to change because the underlying cryptography is too easy to
hack through and too difficult to upgrade, an expert said
Wednesday.
Steve Mott, senior vice president of electronic commerce
and new ventures for MasterCard International, said it could
take hackers as little as a year to break the industry's
standard encryption code, which is supposed to render
credit-card numbers unreadable to outsiders on the Internet's
World Wide Web.
For that reason, the consortium of technology companies
and creditors that has spent two years years developing the
Secure Electronic Transaction (SET) protocol may switch to a
faster encryption system called Elliptic Curve, which is
produced by Certicom Corp.
The first complete version of SET, known as SET 1.0, will
be available to software makers June 1 with core cryptography
provided by RSA Data Security, a unit of Security Dynamics
Technologies Inc.
``RSA is a very good starting point. But we suspect that in
a year or two, the Kevin Mitnicks of the world will start to
figure out ways to hack it,'' Mott said. Mitnick is one of the
most notorious computer hackers.
[This is stupid mixing "hackers" with key lengths. Kevin Mitnick doesn't
have didley to do with encryption. He just grabbed a huge CC plain text file
off of netcom file system. Should have said Ian Goldberg, or the folks at
Ecole Polytechnique in Paris or MIT.]
``The only way you scale an RSA is to add a lot more bits.
You add a lot more bits and it becomes more complex software
in terms of the interaction of the transaction messages.
That's part of what's taken SET so long to start with.''
[This is a hoot! Adding a longer key length makes the software more complex!
And THIS is what has held up SET!!!?? <grin>]
MasterCard has been helping put together merchants with
its own member banks for SET pilot projects in Denmark, Japan,
Taiwan, South Africa and the United States.
Mott told a news conference at the Internet Commerce Expo
that the Elliptic Curve encryption system would make a better
encryption core. In fact, he said it would have been chosen in
the first place if developers had been known about it.
``It will fit on a chip card. I think its 160 bits equals
security to 1,024 bits of RSA,'' the credit industry executive
said. ``We anticipate putting it into some SET 1.0 pilots in
the very near future this year in the U.S.''
Far from being disturbed by the possibility of hackers
getting through the current SET cryptography, Mott said SET's
developers would ``give them an award and a ribbon and then
embody whatever they did as part of the improvements'' in the
next version of security standards.
``The current version for SET is as safe as anybody can
make it,'' he said.
End Forwarded Text ----
_______________________
Regards, A man's dreams are an index to his greatness.
-Zadok Rabinwitz
Joseph Reagle http://web.mit.edu/reagle/www/
reagle@mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E
----------
The e$ lists are brought to you by:
Intertrader Ltd: "Digital Money Online"
<http://www.intertrader.com/library/DigitalMoneyOnline>
Where people, networks and money come together: Consult Hyperion
http://www.hyperion.co.uk info@hyperion.co.uk
Like e$? Help pay for it! <http://www.shipwright.com/beg.html>
For e$/e$pam sponsorship, mail Bob: <mailto:rah@shipwright.com>
Thanks to the e$ e$lves:
Of Counsel: Vinnie Moscaritolo <mailto:vinnie@webstuff.apple.com>
(Majordomo)^2: Rachel Willmer<mailto:rachel@intertrader.com>
Commermeister: Anthony Templer <mailto:anthony@atanda.com>
Interturge: Rodney Thayer <mailto:rodney@sabletech.com>
--- end forwarded text
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
Lesley Stahl: "You mean *anyone* can set up a web site and compete
with the New York Times?"
Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?"
The e$ Home Page: http://www.shipwright.com/
Return to April 1997
Return to “Robert Hettinga <rah@shipwright.com>”