At 09:37 AM 2/7/97 -0500, Vin McLellan wrote:
Now, an international institution which buys and bets the bank upon US-exportable (40-bit) cryptography probably deserves what it has bought: [...] even 56-bit keys -- whatever the algorithm! -- offer only "minimal" security. (What Goldberg did in hours, many could do in a days or weeks with much less equipment.
You don't bet the bank on 40-bit crypto, unless you're, ummm, accepting credit cards over wimp-configured sessions of SSL. (You, as merchant, may not lose if there's a forgery, and your customer's loss may be limited to $50, but the bank's loss isn't limited except by how fast they can block thieves.) While banks get Extra Slack on crypto exports, and can use 56-bit DES, they've got more serious adversaries - building a $1M machine to win a $1000 contest is a bit expensive for the average grad student, but it's a perfectly reasonable investment if you're planning to rob banks of millions of dollars with it, especially if you think you can either siphon the money off slowly while hitting a lot of banks or else make a really big haul all at once. Banks aren't the only kind of company with big money floating around; stockbrokers, commodities traders, purchasing departments of big companies that might not notice that they're buying a few percent more parts, and all sorts of other large companies are targets for crypto-cracking thieves. Because well-funded thieves can do this kind of financial damage, we have a legitimate-sounding spin on "Federal law enforcement's job includes preventing large-scale theft, and they're letting their political agenda get in the way of doing their job. Sure, 56-bit keys are harder to crack than 40, but well-funded crackers could use the same techniques Ian did." Either method of theft requires being non-stupid enough not to get caught afterwards (like the $(24?)M computerized bank job last year), and having your "partners" not rip you off; a big heist also risks detection by tracking chip purchases, and provoking the Feds into banning "ASIC Laundering" and criminalizing illegal possesion of field-programmable gate arrays and such paranoid silliness. ..>> the same Strassmann Yeah, him :-)
(It was a usefully overheated hook for some article on compsec, but I don't think I ever used it. Reminded me too much of warnings that someone was bound to someday taint the city water reservoir with LSD;-) But we _were_ planning to enhance the water that way, back in the 60s! :-)
# Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)