Frank Hecker wrote:
Nelson B wrote:
Banks told their users "40 bits isn't good enough", and "we won't
let you do online banking with us with a browser that can only do
40 bit crypto". The users didn't know 40-bit crypto from Limburger,
but they got the message that it their browser could only show one
tooth, it wasn't good enough for banking.
I'm actually not disagreeing with you, but there are some important
points here that I want to highlight because IMO they're relevant to the
present discussion. I'll warn you and others in advance that some of my
arguments may seem philosophical in nature, but I do think that the
philosophizing has a valid purpose.
It's definately a good thought experiment; the days
of 40-bit v. 128-bit are well behind us now, and the
notions and arguments of those times can be considered
history.
Of course, no bank would turn around and say "oh, well,
we'll save some bits and go 40-bits coz Iang said so..."
but it is instructive to try and work out in our own
minds why it is we think this, and whether it's a valid
model for technical and economics security reasons, as
opposed to the political, liability and marketing reasons
that also swirled around in the 'good old days' of the
crypto wars.
First, we have to distinguish between differences in technical
mechanisms and the meaning that people attach to those differences. (By
"people" I mean typical users, but often others as well -- including us.)
To repeat: From a technical point of view the "one tooth"/"two teeth" UI
difference (one for 40-bit, two for 128-bit) was simply a distinction
regarding key length that arose from external factors (i.e., US
encryption export regulations). No one deliberately sat down and said
"We'll design SSL to have a 'good enough for banking' mode and a 'not
good enough for banking' mode, and we'll choose 128-bit encryption for
the one and 40-bit for the other."
Right. Although, arguably, SSL was designed to be
"good enough for credit cards." What I would say
however is that when the 40 bit and 128 bit stuff
was put in there, it was totally driven by export
considerations, and only later did the alignment
along "banking strength" come up.
On the other hand, once the technical distinction existed banks then
attached a particular meaning to the distinction: that secure on-line
banking required 128-bit keys, and could not be done with 40-bit keys.
And why should they not do so? Certainly all other things being equal,
using 128-bit encryption was at least as secure as using 40-bit and
possibly more so. (Or to put it in risk terms, using 128-bit certainly
did not increase risk vs. using 40-bit, and might possibly decrease it.)
And for US banks there was little or no cost in mandating use of 128-bit
encryption, so why not do so? (The only real impact would have been for
US banks with non-US customers, a fairly small group.)
Right, Pareto-secure-improvements and all that ;-)
(Note to Ian: Whether 40-bit encryption actually posed a real security
risk or not is IMO irrelevant to the banks' decision making. Arguably
not allowing use of 40-bit for online banking was irrational in some
sense, but I believe that in real-world security decisions irrationality
can't be removed from the equation, no more than it can in real-world
economic decisions -- e.g., behavioral economics -- and has to be
accounted for in any analysis.)
Let me add disagree mildly here: Banks make security decisions
according to rational processes. The problem is that those
processes are not based on security, so to the outside observer
they look irrational because they speak of security!
One of those processes
is an excessive sensitivity to criticism on security, which
relates to them as regulated players, and as listed players.
Both these forces push banks in the direction of doing
"everything they can" to secure their processes. Which
means that given the choice between 40-bit and 128-bit, it
would be very very unlikely that banks would choose 40-bit
knowingly.
Note that "cricitism to security" is not the same thing as
security.
The thing to look for with banks' security decisions
is the bunch of other factors involved. A simple decision
like 40-bit v. 128-bit was made clearly towards 128-bit
because there were almost no other factors (you indicated
one, being non-US customers; non-US banks had a much harder
time of it). A much more complex decision such as the use
of 2 factor authentication results in a much harder choice
for them. As a matter of history, banks in Europe have
chosen two-factor authentication without difficulty, whereas
only now, under influence from phishing, are US banks moving
to 2 factor devices. Which is a confusing story in itself,
until you remember that banks are not choosing 2 factor
authentication for security reasons ....
Once the banks attached meaning to 40-bit vs. 128-bit then clearly end
users picked up on that meaning (to the extent that they associated any
meaning at all to the 40-bit vs. 128-bit distinction). By the time the
liberalization of US export regulations ended the need for 40-bit, the
equation "(128-bit) SSL means 'secure for banking'" was firmly fixed in
people's minds, as it remains today.
(Similarly in the 40-bit vs. 128-bit case the equation 'security of
128-bit' >= 'security of 40-bit' wasn't necessarily universally true
across all browsers and web servers; for example, the security of
128-bit encryption in Netscape Navigator 1.0 was less than the security
of 40-bit encryption in Netscape Navigator 2.0, due to SSL
implementation flaws in NN 1.0.)
A good point.
(I've just limited this post to the "thought exercise"
of banks and 40 bits, for now.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
