[Previous] [Next] [Index]
[Thread]
Re: 40 bit encryption: Missing the point
Robert Inder wrote -
> I suspect I am missing the point somewhere. [...]
> wcs@anchor.ho.att.com expresses worries that people with criminal intent
> who could fork out $1M would be able buy enough computing power to break
> 40-bit encryption schemes and get credit card numbers for $100.
>
> Now, if crooks are prepared to pay for credit card numbers (just the
> numbers, nothing else), surely they could get them for much less than $100
> by paying supermarket staff, waiters, garage attendants or travel agents to
> pass them on. [...] Why should
> we worry that there is now going to be a high-tech, capital- and
> skill-intensive way of doing something that can be done by low-key bribery
> or blackmail or petty dishonesty anyway?
As I see it, the issue is one of "designing for success." If E-commerce
takes off, the original set of protocols will probably last 10 to 20
years. The computing which costs $1M today will be in every teenager's
bedroom in 20 years, at a cost of perhaps $1000 in 1995 dollars.
I'd rather not discover that in the year 2005 some cracker had made
off with all my E-credit "cards" because someone in 1995 was pinching
a few pennies to reduce key length.
Let us not repeat the mistake of the UNIX "crypt()" function, which
was supposed to provide a "one-way" encryption of a user's password.
The algorithm held up for roughly a decade, but it remains in use
unmodified well after two decades....
It seems to me that in a day when DES with 56-bit keys offers only
"weak" protection of data, it is foolish to design E-commerce and
privacy systems which may last until 2050 with keys shorter than 256
bits.
When I generated my PGP public key it offered me the opportunity to
create a 1024 bit key. My face lit up with a big smile, and I said
"sure!".
Best,
-Mike Muuss
Leader, Advanced Computer Systems Team
Survivability and Lethality Analysis Directorate
The U.S. Army Research Laboratory
APG, MD 21005-5068 USA
Follow-Ups: