[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC WORKING GROUP LAST CALL




Ben Rogers writes:
> Perhaps that's what we need to do then.  Yes, 40-bit encryption is not
> secure.  However, it is as secure as US companies are allowed to export.

Lets say that U.S. law only allowed your pharmaceutical to export
colored water. Would you pretend to your customers overseas that you
were selling them antibiotics?

Sure, U.S. law says that if it is useful you can't export it. Does
that mean you will go along and produce 

> Moreover there are non-US companies which are quite willing to buy
> 40 bit "encryption" because that is all they can get.

That's untrue. If you know of such a company, please direct them to
companies like SSH Data Security in Finland (http://www.ssh.fi/) or
any one of dozens of other overseas firms that will happily sell you
cryptography as strong as we know how to make it.

> (It is certainly better than nothing,

That is not, in fact, the case. I would strenuously argue that 40 bit
encryption is worse than nothing. It promotes a dangerous illusion of
security AND reduces your performance.

As just one example, take 40 bit SSL. Financial applications are
allowed to export crypto of high strength, but because 40 bit SSL is
around, large amounts of important information is transiting the net
essentially unencrypted. It doesn't even *need* to be sent that way,
but the "supposedly okay" in this instance is the enemy of the
good. Were it not for this quack medicine sold in pretty bottles, we'd
have decent protection of many of these apps. And no, I'm not going to
name the institutions involved.

> Of course, this is not the wisest of decisions, and it is my
> responsibility as a vendor to make sure the customer knows that.

I ask you again: if the government told you you could only sell
colored water as medicine, would you sell it anyway?

> The bottom line is that people will ask for 40 bit encryption and it
> will be provided for them.

Sure. Does the IETF have to endorse this practice?

> As a standards body it is our responsibility to help different
> implementations interoperate.

Next you will argue that the american pharmaceutical industry needs
standards for our hypothetical colored water so that people in third
world countries with infections can know they are getting the right
colored water.

I want people to understand in no uncertain terms that claiming 40 bit
ciphers are trivial to break in real time with minimal expenditure is
not hyperbole. It is literally true. 40 bit ciphers are a quack
cure, not real medicine.

> Please do.  Perhaps it will wake people up enough to campaign for
> exportable encryption.  If nothing else, we (the corporate sector) can
> approach the government with the argument that we _tried_ to sell 40 bit
> encryption abroad and nobody would buy it.  Heck, for that matter, save
> up your pennies for a 3 hour 56-bit DES breaker and sell time on it to
> anyone who might be interested.  Maybe we could push ourselves past the
> 56 bit barrier as well.

That would cost a few hundred k. I believe putting out a "crack 40 bit
keys" package for the naive end user would be a better demonstration.

> Your argument is similar to telling someone not to use their seat-belt
> on their aging car because it doesn't provide adequate security without
> being paired with an airbag.

No, I'm telling people that tying a rope around their ankle and
pretending its a seat belt is not going to provide them with
safety. 40 bit ciphers are useless childrens toys. They are barely a
step up from Rot 13. 

> 40 bit encryption has certainly aged beyond its lifetime.  But, cracking
> it does still require a non-trivial amount of compute power.

For some very low definition of "non-trivial" perhaps.

> You just have to make sure that the data passing over it doesn't
> exceed the value of the machine needed to crack it.

True enough. Lets ask what that magic value might be, shall we?

Blaze, Diffie, Rivest, Schneier, Shimomura, Thompson and Weiner
estimated that, using November 1995 technology, breaking a 40 bit key
would cost about $.08 per crack (that is eight cents) for a moderate
expenditure, and about $.001 per crack (that is one tenth of a cent)
for high expenditures. It is now 1998. Lets be generous and pretend
that it still costs three whole cents to crack a message, though two
or less is probably more like it.

Can you think of any message containing any value whatsoever that is
worth less than three cents. Just the hassle of changing my credit
card numbers would cost me many dollars in wasted personal time even
if I didn't lose a single penny from the fraud itself. The phone calls
to the bank will cost me more than three cents.

Perry


References: