[LINK] Banks in crypto scare...
Roger Clarke
Roger.Clarke@xamax.com.au
Fri, 9 Nov 2001 15:06:49 +1100
"Chirgwin, Richard" <Richard.Chirgwin@informa.com.au>:
>The gist: a couple of researchers in the UK have broken the IBM crypto
>processing used in banks' ATM systems.
Care is needed with the wording.
If and when someone actually works out how to crack Triple DES keys,
a lot of hard work will need to be done while a higher level of
crypto-protection is implemented.
But the crackers expressly state that "We are able ... to persuade an
IBM 4758 running [particular] software ... to export any and all its
DES and 3DES keys to us".
That's an exploit, and needs to be addressed; but it's a
device-specific (and perhaps also software-specific) attack: and
most importantly it's key-theft, not key-cracking.
Maybe the gist should read something like:
A couple of researchers in the UK have broken a crypto-key protection
scheme used in some IBM-supplied ATMs.
Given that the researchers are in Ross Andersen's team, I'd give the
report a (very) high credibility rating.
Caveat: I know a little bit about crypto, like mainly how difficult
it is to utter a sentence that is (a) correct, and (b) not likely to
mislead someone who knows even less about crypto than I do.
>The BBC story is here:
>http://news.bbc.co.uk/hi/english/sci/tech/newsid_1645000/1645552.stm
>
>And the technical description of the exploit is here:
>http://www.cl.cam.ac.uk/~rnc1/descrack/index.html
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke@xamax.com.au http://www.xamax.com.au/
Visiting Fellow Department of Computer Science
The Australian National University Canberra ACT 0200 AUSTRALIA
Information Sciences Building Room 211 Tel: +61 2 6125 3666