[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: On shared keys (was RE: SOI: identity protection and DOS)

To: "'Alex Alten'" <Alten@home.com>, "'IPsec WG'" <ipsec@lists.tislabs.com>
Subject: RE: On shared keys (was RE: SOI: identity protection and DOS)
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Tue, 27 Nov 2001 20:58:19 -0500
Importance: Normal
In-Reply-To: <3.0.3.32.20011127092421.00f70cd0@mail>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Your argument is silly.

Visa and ATM transactions aren't secure. There are multiple cases where
large credit card databases have been compromised (often when an online
merchant's website is hacked). I concur with a point someone else made
recently, which is that the only reason I use Visa is that they are willing
to cover the cost of fraud (by passing it on to the merchants, who pass it
on to all customers, not just credit card users). Small-scale fraud is just
the cost of doing business. Visa's main defense is that repeat offenders
will be caught by statistical analysis.

Do I use ATMs? Yes. Are they safer than keeping my money in a shoebox in my
bedroom? Yes. Do I really feel that my money is secure? No. There's a reason
why I have a daily withdrawal limit, despite the fact that it can be
inconvenient at times. The prospect of electronic money is scary enough.
Electronic money protected by DES keys does not bode well for the future.

It's funny that you should bring up the issue of PSK vs. PK signatures in
the context of banking. In the future, when I make a purchase or a deposit,
I certainly hope there will be non-repudiation of the transaction. And that
goes doubly for transactions between large banks. I don't claim to
understand what checks and balances are preventing financial institutions in
the Caymen islands from "inventing" money, but the use of PK signatures
couldn't hurt in the context of forensic accounting.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Alex Alten
> Sent: Tuesday, November 27, 2001 12:24 PM
> To: Hugo Krawczyk; IPsec WG
> Subject: Re: On shared keys (was RE: SOI: identity protection and DOS)
>
>
> At 01:34 AM 11/27/2001 +0200, Hugo Krawczyk wrote:
> >Everyone agrees that public key is the ONLY way to a scalable
> >Internet-wide protocol. No question about it. In particular,
> >any key-exchange protocol for IPsec MUST provide a PK-based exchange.
> >
>
> No.  I STRONGLY disagree.  I'll give a counter example.  The banking
> ATM network uses DES keys.  It has scaled, in practice, world wide.
>
> And BTW, it's security & trust model is excellent.  Have you
> ever heard
> of a major compromise, say on the scale of 25,000 card #'s
> being stolen
> (like with Visa?).  Certainly nobody distrusts it because it uses
> symmetric keys for authentication.  In fact I'm certain YOU trust it
> at least a couple a times a month.  :-)
>
> - Alex
>
>
>
> --
>
> Alex Alten
> Alten@Home.Com
>
>

Follow-Ups:

RE: On shared keys (was RE: SOI: identity protection and DOS)

From: Alex Alten <Alten@home.com>

References:

Re: On shared keys (was RE: SOI: identity protection and DOS)

From: Alex Alten <Alten@home.com>

Prev by Date: Re: SOI: identity protection and DOS
Next by Date: RE: SOI: identity protection and DOS
Prev by thread: Re: On shared keys (was RE: SOI: identity protection and DOS)
Next by thread: RE: On shared keys (was RE: SOI: identity protection and DOS)
Index(es):
- Main
- Thread