--- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: "Joseph M. Reagle Jr." <reagle@rpcp.mit.edu> Mime-Version: 1.0 Precedence: Bulk Date: Thu, 10 Apr 1997 09:47:06 -0400 From: "Joseph M. Reagle Jr." <reagle@rpcp.mit.edu> To: Multiple recipients of <e$@thumper.vmeng.com> Subject: Internet security code said vulnerable to hackers This is one screwed up story. I don't know what they are actually trying to say, but the guy from MasterCard isn't helping. (I stick my two derisive comments into the story. <smile>) Forwarded Text ---- ATLANTA, April 9 (Reuter) - The new security protocol for safeguarding credit-card transactions on the Internet may have to change because the underlying cryptography is too easy to hack through and too difficult to upgrade, an expert said Wednesday. Steve Mott, senior vice president of electronic commerce and new ventures for MasterCard International, said it could take hackers as little as a year to break the industry's standard encryption code, which is supposed to render credit-card numbers unreadable to outsiders on the Internet's World Wide Web. For that reason, the consortium of technology companies and creditors that has spent two years years developing the Secure Electronic Transaction (SET) protocol may switch to a faster encryption system called Elliptic Curve, which is produced by Certicom Corp. The first complete version of SET, known as SET 1.0, will be available to software makers June 1 with core cryptography provided by RSA Data Security, a unit of Security Dynamics Technologies Inc. ``RSA is a very good starting point. But we suspect that in a year or two, the Kevin Mitnicks of the world will start to figure out ways to hack it,'' Mott said. Mitnick is one of the most notorious computer hackers. [This is stupid mixing "hackers" with key lengths. Kevin Mitnick doesn't have didley to do with encryption. He just grabbed a huge CC plain text file off of netcom file system. Should have said Ian Goldberg, or the folks at Ecole Polytechnique in Paris or MIT.] ``The only way you scale an RSA is to add a lot more bits. You add a lot more bits and it becomes more complex software in terms of the interaction of the transaction messages. That's part of what's taken SET so long to start with.'' [This is a hoot! Adding a longer key length makes the software more complex! And THIS is what has held up SET!!!?? <grin>] MasterCard has been helping put together merchants with its own member banks for SET pilot projects in Denmark, Japan, Taiwan, South Africa and the United States. Mott told a news conference at the Internet Commerce Expo that the Elliptic Curve encryption system would make a better encryption core. In fact, he said it would have been chosen in the first place if developers had been known about it. ``It will fit on a chip card. I think its 160 bits equals security to 1,024 bits of RSA,'' the credit industry executive said. ``We anticipate putting it into some SET 1.0 pilots in the very near future this year in the U.S.'' Far from being disturbed by the possibility of hackers getting through the current SET cryptography, Mott said SET's developers would ``give them an award and a ribbon and then embody whatever they did as part of the improvements'' in the next version of security standards. ``The current version for SET is as safe as anybody can make it,'' he said. End Forwarded Text ---- _______________________ Regards, A man's dreams are an index to his greatness. -Zadok Rabinwitz Joseph Reagle http://web.mit.edu/reagle/www/ reagle@mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E ---------- The e$ lists are brought to you by: Intertrader Ltd: "Digital Money Online" <http://www.intertrader.com/library/DigitalMoneyOnline> Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info@hyperion.co.uk Like e$? Help pay for it! <http://www.shipwright.com/beg.html> For e$/e$pam sponsorship, mail Bob: <mailto:rah@shipwright.com> Thanks to the e$ e$lves: Of Counsel: Vinnie Moscaritolo <mailto:vinnie@webstuff.apple.com> (Majordomo)^2: Rachel Willmer<mailto:rachel@intertrader.com> Commermeister: Anthony Templer <mailto:anthony@atanda.com> Interturge: Rodney Thayer <mailto:rodney@sabletech.com> --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/