Tim May
At 10:54 AM -0700 6/24/97, Adam Back wrote:
$100,000 for a machine to break DES in an average of 35 hrs
...
35 hours sounds a reasonable amount of time to break a Swift banking transfer key protecting trillions of dollars of funds.
Show me the money! A DES break that resulted in a loss of several tens of millions of dollars, suitably publicized, would be both educational and rewarding.
We often talk about the "threat model." But what's the _profit model_ for breaking DES?
Who says it hasn't been done? It's not as if the banks would be keen
to advertise this.
You remember a while back some Russians (including one "mathematician"
according to news reports) had succeeded in fleecing a US bank of
several mil and routing the money to various banks around the world.
Until they got caught. The news reports said the US bank(s) wanted to
talk to him to find out how he did it. I was always curious as to
what that Russian did to crack bank security. I conjecture that it is
possible that he built a wiener machine, and that the bank hushed up
the story. (And switched to 3DES post haste:-)
Also re. $100k = price of a ferrari and there are plenty of mobsters
around with that kind of money, that price was 1993 price. Maybe at
1997 prices $100k would get you down to a few hours again. How small
are the moving windows?
Re. the "profit model" there were several possibilities discussed
around the time the DES crack was starting, before Peter Trei
persuaded RSA to make a challenge. One was a european ATM card which
had a master DES key, and this was part of some standardisation thing
(each bank had it's own DES key, plus all participating banks allowed
this master key). But it's not much fun making profit off ATM
machines -- they have cameras in them, and the cash you can draw on
one card in a 24hr period isn't that much. You'd have to produce
hundreds of faked cards, and have a whole host of accomplices running
around emptying cash machines. Tricky logistics, many participants ->
increased chance of getting caught. Not that easy to cash in on.
One factor that hasn't really been discussed much is the possibility
of amortizing cost. You build the DES breaking machine, and if you
use it to break 1000 DES keys, that's $1k per key. Starting to open
up even lower end applications with good organisation.
I'm sure there were a couple of things discussed where there were some
interbank transfers which relied on DES. Moving window means you've
got to break the keys fast, as you say. Also I wonder how easy it is
to siphon the money and make it disappear with all the auditing. (aka
may be you could invest 1 mil and build a fast key breaker, transfer
lots of money, but so what if the audit trail points fairly and
squarely at you? Cash the money quick and buy unconditional
immunity in Belzize?)
btw I now have a text only version of the wiener paper up on:
http://www.dcs.ex.ac.uk/~aba/crypto-papers/
sans diagrams. (ps2ascii is your friend). As well as the postscript.
Some people can't handle postscript.
Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0