At 11:50 AM -0600 10/20/2000, Bob Jueneman wrote:
Let's put this problem in perspective, and try to avoid the "chicken little, the sky is falling" syndrome.
It's quite unlikely that someone would come up with "Eureka!" type of solution to factoring large numbers that would end up completely breaking RSA,
I don't know of any solid basis for this claim. There have been unexpected mathematical breakthroughs of that magnitude in the recent past. Schönhage and Strassen algorithm for multiplication, the Fast Fourier Transforms, formulas that compute outer digits of 1/pi without computing the earlier ones, etc.
or that some way would be found to completely break the integrity of SHA-1.
Instead, we would be much more likely to see a nibbling around the edges, and a gradually decreasing confidence in existing algorithms, with more than enough time to replace them.
That is already happening.
In fact, we have already seen that. MD2 is now deprecated, and MD5 is being pretty widely supplanted by SHA-1. Likewise, DES has been broken and people are recommending that triple-DES be used, and soon AES. And OAEP is recommended to get around some hypothetical million-question attacks.
But the sky hasn't fallen, and the sun still comes up in the morning.
Even if some catastrophic weakness were somehow revealed that any high school kid could take advantage of with a single PC, there are still checks and balances. The kid still has to have money in the bank to pay for the item, and all of the usual velocity checks, etc. that are used to combat fraud would still be in place and would work. And good old-fashioned detective investigations and forensics would still be applicable.
Any good security system has defenses in depth, and is not subject to the balloon-popping problem.
Well, that is the the big question mark as I see it. There are many choices in designing financial systems based on public key technology. If people use conservative approaches then you may well be right, but if they buy the PKI party line we could face some very serious problems. In particular, systems that depend on the security of one or a few master keys should be treated with suspicion. For example, a bank could keep its own customer's public key fingerprints on file or rely on the fact that all customers' certs are all signed.
that doesn't mean that we shouldn't try to make systems be as perfect as possible. But if they aren't (and they never are), that shouldn't be the end of the world as we know it.
If we throw out existing systems and base our entire financial system on public key crypto without enough independent backups, an algorithmic breakthrough could lead the the end of the world as we know it. Algorithm compromise should be treated as an explicit risk.
Let's not invent a hypothetical Y2K problem.
Let's not forget 2038. Arnold Reinhold