Re: Illegal to do research on cryptography?

From: Tom St Denis (tom_at_securescience.net)
Date: 04/04/04 

Date: Sun, 04 Apr 2004 20:52:28 GMT

Rahul Dhesi wrote:

> Tom St Denis <tom@securescience.net> writes, responding to Vincent
> Granvill:
>
>>> Because as a merchant I have 0% fraud...
>
>>Um that's risk management not security. The risk of someone attacking
>>your
>>system is high because the cost of attack is low. Schneier said this
>>during the 1995 HOPE session [I think it was him anyways...], let me
>>paraphrase [since I don't have the audio clip anymore]
>
>>"Nobody is going to waste time to mass-produce forged nickles because you
>>couldn't make enough cheaply to turn a profit..."
>
> But in 2003, Schneier wrote about SSL in web-based e-commerce as
> follows.
>
> http://www.schneier.com/crypto-gram-0303.html#3
>
> ...You are using SSL to establish a secure channel with a random
> person. What secrets are you going to tell the stranger? Nothing,
> because you have no idea who he is.
>
> ...By now it should be obvious that hackers don't steal credit card
> numbers one by one across the network; they steal them in bulk -- by
> the thousands or even millions -- by breaking into poorly protected
> networks. Many smaller e-commerce sites don't use SSL to protect their
> credit card transactions, and even there this kind of attack simply
> doesn't happen.

This is all true. So why ever buy anything? I mean you walk into a store
and buy something [cash, debit, cc]. First off with debit/cc in North
America is still swipy mag cards. So what's to say the 7$/h clerk isn't
gonna steal your CC number from a slip and use it [say] online. I mean
when I worked retail I had enough time to get the security number off the
back so I could write it down later...

The trick is a) reputation and b) better than nothing. I bought flash carts
from Lik-Sang [before they became a MSFT puppet]. I could have not bought
the carts and done without or I could rely on the word of others and
essentially gamble. But at least with an SSL connection I know the data is
being transmitted to a server which is controlled by a company I have
placed [some well founded] trust in.

The argument here though is what is the value of a home brew cryptosystem
over SSL? If you say SSL is worthless than so is the homebrew system and
therefore the thread moot.

> The user whose credit card number was used without authorization does
> not lose any money. It's the merchant who accepts a stolen credit card
> number who bears the risk.

It's still annoying to sort out and in the mean time lets criminals get away
with stuff. For example, as the 7$/h clerk I could have bought said flash
carts with someone elses credit card. The product would have been shipped
before the credit card data was posted and the net effect is I get free
flash carts. Chances of me getting caught [provided I don't do this twice]
is next to nill and the result is credit card users pay the price in higher
interest rates.

> And that merchant's risk does not increase if his web site accepts
> credit card numbers without encryption. It should be obvious why: the
> use of an encrypted channel for accepting credit card numbers has no
> effect on whether or not the numbers being submitted to the merchant are
> stolen. A person possessing stolen credit card numbers can submit them
> for purchases just as effectively via SSL as via a clear http channel.

Then why use any crypto? I'd say it's much easier to steal credit card
numbers when they are placed in plaintext then when they are not.

By your logic cars shouldn't have breaks because cars with breaks get into
accidents....

> So who really benefits when SSL is used for transmitting credit card
> information to a web site? The vendors of SSL certificates do.

This I agree with to an extent.

> I'm afraid Mr. Vincent Granvill is absolutely correct in his assumption
> (if I understand him correctly) that a warm feeling of security is the
> primary benefit of encryption during e-commerce transactions like those
> he is doing on his web site.

And pure responsiblity. If you play by the books [which are often free, and
in the case of certs relatively cheap, that is you don't have to use
verisign...] at least if you do get attacked you were acting responsible.

Like just recently some french bastards [from Quebec] nearly wrote off my
fathers parked car [I was at a friends place doing a college project]. If
it was an act of god I wouldn't have been upset at them but because they
were speeding they weren't taking proper precautions and as a result they
were charged with [iirc] reckless driving.

The point is if you follow reasonable security precautions you're more
likely to keep customers, not be successfully attacked and not held
responsible. In this case SSL already exists for securing transactions.
Can it be abused? Yes. But it can be used safely.

His homebrew scheme can't even be used safely in any context...

Tom