Banks and 128 bit DES

paulfordh@uk.ibm.com paulfordh at uk.ibm.com
Tue, 21 Mar 2000 18:20:58 +0000 



David Hansen Wrote:

>Not 128 bit DES though. It may report 168 bit triple DES which is an
>option on my browser, but never 128 bit DES.

Sure - it is possible that someone might call some flavours of 3-DES 128
bit, but only if they don't understand the fact that parity bits don't add
much to secrecy :-))

>> I _really_ hope we aren't all getting hot under the collar because
>> someone mixed up RC4 and DES in some marketing blurb ... are we ?
>
>It was not "some marketing blurb", it was a specific response to a
>specific question.

It seems that the issue is that there was no process in the Royal Bank to
answer your question and that the answers that you were given were not only
incorrect but also demonstrated the ignorance of the organisation that you
were dealing with.

>In my business if a potential customer goes to all
>the trouble of asking a specific question we try and get the answer
>right.

I agree, that is good practice. Not one that all businesses follow though.
It does cost money.

>These jokers are the people government thinks we should trust,
>but they can't even get elementary facts correct.

I agree to a certain extent...

On the one hand it does actually appear that your session is protected with
an adequate level of confidentiality (let's not discuss the strength of the
authentication though).  From this we can infer that the processes and
procedures of the organisation managed to ensure that you, and other people
less knowledgable than you, were protected with 128 bit RC4.

On the other hand it also appears that the organisation has no idea how to
manage this stuff, educate its staff and/or understand the important
nuances of the underlying technologies.  This isn't good for Customer
Relations with the customers who ask awkward questions.

The real concern though, alluded to by the reference to a Bank being
proposed as a Licensed TTP (doesn't that seem a long time ago now), is that
security is only as good as the weakest link.  So we can fairly safely
assume that the Processes (which seem to be OK) would in fact be undermined
by the Implementation (which seems to be lacking).

>Even if it was "some marketing blurb" things like the Property
>Misdescription Act show that such blurb is increasingly expected to
>be accurate.

Hmm - now _that_ would be interesting - Making Security Vendors match up to
the Marketing hype.   Time to make "Computationally-Infeasible",
"Reasonably-Random" and "Probably-Private" trade-marks methinks :--))

Paul
--
Paul Ford-Hutchinson : EMEA eCommerce application security :
paulfordh@uk.ibm.com
OSU-1, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5YR +44 (0)1926 462005