Security 40 bit or otherwise

• To: www-security@ns2.rutgers.edu
• Subject: Security 40 bit or otherwise
• From: "John Hemming (Chief Executive MarketNet )" <JohnHemming@mkn.co.uk>
• Date: Tue, 28 Mar 95 13:51:04 -800

There are two general questions for security.  The first
often talked about is credit card security.  I have a
question to be answered about this.  I know the answer for
the UK.

Alice's credit card number is fraudulently obtained by
Bob who uses it to obtain goods from Cedric who banks with
Denise.  

Alice checks her credit card statement and finds an entry
that is not hers; who pays?

(UK answer C)

The second question is that of overhearing material conversations.
Now we have implemented SSL in our main servers at MarketNet
we will be setting up a system to allow people to hold
bank accounts and investment portfolios that can be reviewed
over the web.  We would not want those conversations to be
available for analysis by a third party.

As far as payments are concerned an authorised system of payments
needs long keys.  We would be happy with RSA keys (modulus)
of 512 bits (which when combined with the private exponent
makes 1024).  The key issue here is legal authorisation.

Furthermore as with cheques (in the UK) there will be a
time after which an instruction is not valid.  (Six months
in the UK although banks often ignore this.)  Therefore,
any system of protocols must have space for increasing the
size of keys (such as SSL), but must also ensure that
instructions (pay, buy, sell, buy futures in the Nikkei Index etc)
are not forgeable with today's technology with a considerable
level of confidence and have an element of ephemerality.

Such authentication protocols (forming equivalents in essence
to X509 and PGP signatures) do exist, but are not relevant to
the lower level of protocol covered by SSL (apart from the
initial server authentication).

• Previous: Re: 40 bit encryption: Missing the point
• Next: Re: Netscape and 40 bit encryption
• Index(es):
  • Index
  • Thread