Re: the official end of DES (not triple DES) is announced
From: Bodo Moeller (moeller_at_cdc.informatik.tu-darmstadt.de)
Date: Wed, 28 Jul 2004 05:36:20 +0000 (UTC)
Bill Unruh <email@example.com>:
>> As a sample of
>> the private sector in the US, http://www.atmmachine.com/3DES.htm tells
>> us that ATMs supporting only single-DES for protecting data such as
>> customer PINs can remain in operation until December 31, 2005 in
>> various networks (for MasterCard, it's April 1, 2005; for Visa, it's
>> "not defined").
> Since the customer pin is only 4 digits, almost anything is stronger than
> the pin anyway.
You can find a 56-bit DES key through a passive brute-force search
attack (thus exposing any secret transmitted over the DES-protected
link), but you can't easily use brute-force search to find a PIN that
can only be verified online.
It is true that four-digit PINs are arguably much too weak: consider
ATM/credit cards as free lottery tickets for patient pick-pockets
where one in 3333 wins. But using weak encryption clearly does make
things even worse.