[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On shared keys (was RE: SOI: identity protection and DOS)

To: Derek Atkins <warlord@mit.edu>
Subject: Re: On shared keys (was RE: SOI: identity protection and DOS)
From: Alex Alten <Alten@home.com>
Date: Wed, 28 Nov 2001 15:29:48 -0800
Cc: <andrew.krywaniuk@alcatel.com>, "'IPsec WG'" <ipsec@lists.tislabs.com>
In-Reply-To: <sjmr8qiv94f.fsf@benjamin.ihtfp.org>
References: <Alex Alten's message of "Wed, 28 Nov 2001 12:53:58 -0800"><3.0.3.32.20011127092421.00f70cd0@mail><3.0.3.32.20011128125358.00ef4878@mail>
Sender: owner-ipsec@lists.tislabs.com

At 05:11 PM 11/28/2001 -0500, Derek Atkins wrote:
>Alex Alten <Alten@home.com> writes:
>
>> You have completely missed my point, and incorrectly lumped Visa and ATM
>> security systems together.
>> 
>> My point is that for over 20 years hundred's of millions of people have
>> been using *DES* to get cash out of ATM machines.  This is a very large 
>> scale system, the number of Internet hosts is an order of magnitude
smaller.
>> As far as I know there has never been a major compromise of this system,
>> where lots of money was stolen from thousands of accounts.
>
>Unfortunately this last statement is not (completely) true.  There
>have been compromises of the system.  The reason there hasn't been
>much money stolen is that there are out-of-band checks and balances
>and fraud detection to keep that from happening.
>
>The fact that more fraud doesn't happen is due to the out-of-band
>additional check in place at banking institutions, rather than the
>fact that 'DES is ok'.
>
>The whole ATM system is flawed in a few major ways; using 1-DES is
>only the tip of the iceburg.  Global Static keys is the main issue.
>

Given that this is a 25 year old design I think that using 1-DES as a problem
is not a fair statement.  I personally know one of the original designers
of the ATM system and have spoken with him about various aspects of the
security design.  Your statement of Global Static keys is the first time
I've ever heard about it.  Maybe you could explain what you mean by these?
In particular does this so-called "flaw" allow anyone, either inside or
outside
the system, to get thousands of PIN and account number pairs?  This is what
I mean by a major compromise.

BTW, I'm sure VISA has tons of additional checks at various member banks,
etc.,
and yet that didn't stop some Russian hackers from getting tens of thousands
of card numbers from across the Internet.  That is a major compromise of the
system and whomever designed their security should be ashamed of it.

- Alex

--

Alex Alten
Alten@Home.Com

Follow-Ups:

Re: On shared keys (was RE: SOI: identity protection and DOS)

From: Derek Atkins <warlord@mit.edu>

References:

Re: On shared keys (was RE: SOI: identity protection and DOS)

From: Alex Alten <Alten@home.com>

RE: On shared keys (was RE: SOI: identity protection and DOS)

From: Alex Alten <Alten@home.com>

Re: On shared keys (was RE: SOI: identity protection and DOS)

From: Derek Atkins <warlord@mit.edu>

Prev by Date: RE: CBC makes Implementations too Slow.
Next by Date: Re: CBC makes Implementations too Slow.
Prev by thread: Re: On shared keys (was RE: SOI: identity protection and DOS)
Next by thread: Re: On shared keys (was RE: SOI: identity protection and DOS)
Index(es):
- Main
- Thread