[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions

In message <199503301530.AA44440@interlock.ans.net> you wrote:
> bound@zk3.dec.com says:
> > >Just to repeat -- any exportable algorithm is too weak to provide any
> > >security. This is the case with all these 40 bit key algorithms. You
> > >can break them over the weekend in your lab.
> > 
> > I have heard this but not from what "I" consider the experts (e.g.
> > Bellovin, Karn, Kent, Kaufmann, Eastlake, S. Crocker, Nessett, Tardo,
> > Linn, and others).  
> Jim;
> I believe J.I. is monitoring this mailing list, so I'll let him speak
> for himself, but he figured out for me last year when he was playing
> with RC4 that 40 bit RC4 could be broken with the resources he had
> available at the CS department at Columbia in a few days. If you like,
> I'll try to make sure that he posts figures.
> I'll point out that I consider anything that can be broken for under
> $1,000,000 to be completely unacceptable given my interests in the
> banking community, and DES already is dangerously weak in that regard
> -- I'd almost prefer standardizing on 3DES. 40 bits by my measure is a
> complete joke.
> Perry

It's quite a statement to say that DES "already is dangerously weak", last
time I checked the national and international banking standards use just
that. If DES  was so bad, I'd expect that the Fed, not to mention the for
profit banks, would be clamoring much harder for a "better" solution.  In any
case, current export regulations allow for easy (as easy as it gets) export
of DES into banking systems, so use of DES for that application shouldn't
present anyone with a problem. 

If (as has been implied over and over again) a $1M machine can be built to
"break" DES, then I would expect that bank profits would be way down by now
(they wouldn't announce it was through electronic theft of course). 

I'll also point out that privacy of wholesale bank transactions is really not
the problem, it is authentication, and there the standard is symmetric-keyed
Message Authentication Codes. (which now that I think of it is not much worse
than keyed MD5, oh well). Also, in most countries bank records are not, to
any real approximation, private, and some transactions are reported directly
to the government (horrors!).

As far as IP standardization goes, DES is probably the way to go, with
options for other things (the Internet way!). Although US companies will need
to deal with the export issue (everyone call Sec. Brown, give him a job
related problem to worry about), a 40 bit toy doesn't fare any better than
DES, since both need to go through the motions of export licensing. As for
non-US firms, they have their own government's to worry about (cf. France).

In practice, if we standardized on the Unix random() function and key
management simply passed around the seeds, 99.9% of the net would never know
the difference. For those that are truly worried about security, the standard
needs to provide them the ability to slip in better cryptography as they see