[LINK] Banks in crypto scare...
Fri, 9 Nov 2001 15:06:49 +1100
"Chirgwin, Richard" <Richard.Chirgwin@informa.com.au>:
>The gist: a couple of researchers in the UK have broken the IBM crypto
>processing used in banks' ATM systems.
Care is needed with the wording.
If and when someone actually works out how to crack Triple DES keys,
a lot of hard work will need to be done while a higher level of
crypto-protection is implemented.
But the crackers expressly state that "We are able ... to persuade an
IBM 4758 running [particular] software ... to export any and all its
DES and 3DES keys to us".
That's an exploit, and needs to be addressed; but it's a
device-specific (and perhaps also software-specific) attack: and
most importantly it's key-theft, not key-cracking.
Maybe the gist should read something like:
A couple of researchers in the UK have broken a crypto-key protection
scheme used in some IBM-supplied ATMs.
Given that the researchers are in Ross Andersen's team, I'd give the
report a (very) high credibility rating.
Caveat: I know a little bit about crypto, like mainly how difficult
it is to utter a sentence that is (a) correct, and (b) not likely to
mislead someone who knows even less about crypto than I do.
>The BBC story is here:
>And the technical description of the exploit is here:
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
Visiting Fellow Department of Computer Science
The Australian National University Canberra ACT 0200 AUSTRALIA
Information Sciences Building Room 211 Tel: +61 2 6125 3666