Banks and 128 bit DES

Ben Laurie ben at algroup.co.uk
Sat, 18 Mar 2000 16:32:57 +0000 

David Hansen wrote:
> 
> As a break from the Home Office I though some light relief might be
> in order. My business bank recently offered me access to my
> account via Internet. The blurb and web site are impressive in a
> superficial way, but neglect the vital technical details. Being
> something of a stirrer I asked them about the method of encryption.
> The following is the reply I received, with the name of the sender
> changed to AN Other and some inconsequential points snipped.
> 
> My browser doesn't mention "SSL 128 BIT DES encryption", though
> obviously it mentions 56 bit DES and 168 bit triple DES. Is there a
> new form of 128 bit DES and am I out of touch?

No.

> If not what does
> this tell us about the ability of large organisations (the sort of
> organisation government was until recently telling us we could
> confidently escrow keys with) to understand and implement
> encryption?

I'm not sure what it tells us, since the obvious conclusion is that
those who did the implementation are not those who answer stupid
questions from clients. :-)

OTOH, "additional security measures that we do not divulge" is a
standard bit of bank bollox that gives me no confidence whatsoever
(especially knowing what I know about banks and ATM security).

Cheers,

Ben.

> 
> >From:                  AN_Other@bankofscotland.co.uk
> >To:                    davidh@spidacom.co.uk
> >Date sent:             Fri, 17 Mar 2000 16:37:14 +0000
> >Subject:               Internet HOBS Feedback Submission
> 
> >Thank you for the feedback Mr Hansen, I have addressed each
> >point in turn:
> 
> [snip]
> 
> >Internet HOBS is secured using SSL 128 BIT DES encryption and
> >protected by multiple firewalls and additional security measures
> >that we do not divulge. Internet HOBS operates on Netscape 4.5
> >and Microsoft IE4 and upwards.
> 
> >I hope this information is of value to you.
> 
> >Regards
> 
> >AN Other
> >Project Manager
> >ecommerce
> 
>  David Hansen | davidh@spidacom.co.uk  | PGP email preferred
>  Edinburgh    | CI$ number 100024,3247 | key number F566DA0E
> 

--
SECURE HOSTING AT THE BUNKER: http://www.thebunker.net/hosting.htm

http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe? http://ApacheCon.Com/