Date: Wed, 24 Sep 1997 10:15:45 -0400 To: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> From: Carl Ellison <cme@cybercash.com> Subject: Re: Emphasizing a point by Donald Eastlake re key recovery Cc: cypherpunks@toad.com, Ron Rivest <rivest-only@theory.lcs.mit.edu>, cme@cybercash.com Reply-to: Carl Ellison <cme@cybercash.com>
-----BEGIN PGP SIGNED MESSAGE-----
At 09:34 AM 9/23/97 +0100, Ross Anderson wrote:
There is also the point that the vast majority of encryption keys are actually used for authentication rather than confidentiality. The keys that encrypt your bank card PIN en route from the ATM to the bank, the keys in your satellite TV decoder, the keys in your gas meter and your postal meter - in fact the majority of all DES keys in use - are about authentication. In theory most of them could be replaced by digital signature mechanisms but given the size of the installed base, it won't happen anytime soon.
For what it's worth, I once got an opinion from NSA's export control office that I could use any kind of crypto I wanted (e.g., even triple-DES) if all I'm doing is protecting a channel carrying a password (like the PIN), because that's an authentication function and therefore to be encouraged. I didn't get this in writing, however, so I'd have to go for it again.
- Carl
Well, I dunno. About 18 months ago, I was involved with the negotiations over the exportability of an SSL equipped web server I had helped develop. The export model used 40 bit RC4 and 512 bit keys. The initial version used 3DES to encrypt stored private keys, and this was turned down. I modified it to use single DES, and it passed. Note that this was for secret key storage only. Peter Trei trei@Process.com