Internet security code said vulnerable to hackers

17 Dec 2003

      --- begin forwarded text

Sender: e$@thumper.vmeng.com
Reply-To: "Joseph M. Reagle Jr." <reagle@rpcp.mit.edu>
Mime-Version: 1.0
Precedence: Bulk
Date:  Thu, 10 Apr 1997 09:47:06 -0400
From: "Joseph M. Reagle Jr." <reagle@rpcp.mit.edu>
To: Multiple recipients of <e$@thumper.vmeng.com>
Subject:  Internet security code said vulnerable to hackers

This is one screwed up story. I don't know what they are actually trying to
say, but the guy from MasterCard isn't helping. (I stick my two derisive
comments into the story. <smile>)

Forwarded Text ----

  	 ATLANTA, April 9 (Reuter) - The new security protocol for
  safeguarding credit-card transactions on the Internet may have
  to change because the underlying cryptography is too easy to
  hack through and too difficult to upgrade, an expert said
  Wednesday.
  	 Steve Mott, senior vice president of electronic commerce
  and new ventures for MasterCard International, said it could
  take hackers as little as a year to break the industry's
  standard encryption code, which is supposed to render
  credit-card numbers unreadable to outsiders on the Internet's
  World Wide Web.
  	 For that reason, the consortium of technology companies
  and creditors that has spent two years years developing the
  Secure Electronic Transaction (SET) protocol may switch to a
  faster encryption system called Elliptic Curve, which is
  produced by Certicom Corp.
  	 The first complete version of SET, known as SET 1.0, will
  be available to software makers June 1 with core cryptography
  provided by RSA Data Security, a unit of Security Dynamics
  Technologies Inc.
  	 ``RSA is a very good starting point. But we suspect that in
  a year or two, the Kevin Mitnicks of the world will start to
  figure out ways to hack it,'' Mott said. Mitnick is one of the
  most notorious computer hackers.

[This is stupid mixing "hackers" with key lengths. Kevin Mitnick doesn't
have didley to do with encryption. He just grabbed a huge CC plain text file
off of netcom file system. Should have said Ian Goldberg, or the folks at
Ecole Polytechnique in Paris or MIT.]

  	 ``The only way you scale an RSA is to add a lot more bits.
  You add a lot more bits and it becomes more complex software
  in terms of the interaction of the transaction messages.
  That's part of what's taken SET so long to start with.''

[This is a hoot! Adding a longer key length makes the software more complex!
And THIS is what has held up SET!!!?? <grin>]

  	 MasterCard has been helping put together merchants with
  its own member banks for SET pilot projects in Denmark, Japan,
  Taiwan, South Africa and the United States.
  	 Mott told a news conference at the Internet Commerce Expo
  that the Elliptic Curve encryption system would make a better
  encryption core. In fact, he said it would have been chosen in
  the first place if developers had been known about it.
  	 ``It will fit on a chip card. I think its 160 bits equals
  security to 1,024 bits of RSA,'' the credit industry executive
  said. ``We anticipate putting it into some SET 1.0 pilots in
  the very near future this year in the U.S.''
  	 Far from being disturbed by the possibility of hackers
  getting through the current SET cryptography, Mott said SET's
  developers would ``give them an award and a ribbon and then
  embody whatever they did as part of the improvements'' in the
  next version of security standards.
  	 ``The current version for SET is as safe as anybody can
  make it,'' he said.

End Forwarded Text ----

_______________________
Regards,   A man's dreams are an index to his greatness.
           -Zadok Rabinwitz
Joseph Reagle     http://web.mit.edu/reagle/www/
reagle@mit.edu    E0 D5 B2 05 B6 12 DA 65  BE 4D E3 C1 6A 66 25 4E
----------
The e$ lists are brought to you by:

Intertrader Ltd:                "Digital Money Online"
<http://www.intertrader.com/library/DigitalMoneyOnline>

Where people, networks and money come together: Consult Hyperion
http://www.hyperion.co.uk                    info@hyperion.co.uk

Like e$? Help pay for it! <http://www.shipwright.com/beg.html>
For e$/e$pam sponsorship, mail Bob: <mailto:rah@shipwright.com>

Thanks to the e$ e$lves:
Of Counsel: Vinnie Moscaritolo <mailto:vinnie@webstuff.apple.com>
(Majordomo)^2: Rachel Willmer<mailto:rachel@intertrader.com>
Commermeister: Anthony Templer <mailto:anthony@atanda.com>
Interturge: Rodney Thayer <mailto:rodney@sabletech.com>

--- end forwarded text

-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
Lesley Stahl: "You mean *anyone* can set up a web site and compete
               with the New York Times?"
Andrew Kantor: "Yes."  Stahl:  "Isn't that dangerous?"
The e$ Home Page: http://www.shipwright.com/