Prev: HTTP and HTTPS sessions question
Next: why does PKCS#1 use the LCM instead of Euler's totient function?
From: Thomas Pornin on 16 Apr 2010 08:08
According to unruh <unruh(a)wormhole.physics.ubc.ca>:
> I think the primary purpose of the smartcards is that the company can
> claim that any fraud is your fault and they do not have to reimburse
> you. After all you must have revealed your pin if they use it. That
> almost all the terminals are so terribly located that it is trivial to
> shoulder surf is not their fault, so it is yours.

The "primary purpose" was to reduce cost. Making the cardholder liable
may be part of that cost-reducing strategy. But not only. In the early
90's, there were only two strategies for processing payment with a
creadit card: either you have an online connection with the bank, or you
must process the card entirely offline. Online connections were
expensive; supermarkets had them. Offline meant taking a kind of
photography of the card (printing a copy of the card information, either
the embossed letters, or the bits on the magnetic strip) and praying for
the best. The chip in a smartcard makes things substantially more
difficult for an offline attacker. As far as I know, at that time, using
smartcards divided cost of fraud by about 10.

Of course merchants were not very happy about it. Fraud was supported by
banks. But _merchants_ had to buy the terminals. Customers were quite
happy to switch, mostly for practical reasons (since payment was
offline, it could be done with a portable terminal [remember, this is in
a pre-WiFi/bluetooth era], so you could pay your bill at a restaurant
without raising from your chair).

Nowadays, network is cheap, so that many offline transactions are de
facto transformed into online transactions. This changes the fraud scene
quite a bit, and there are less cost differences between smartcards and
magnetic cards. Conversely, merchants must now have a terminal
regardless of the card type, so the deployment cost of smartcards is
comparatively smaller as well.


> In canada by next year, ALL terminals are supposed to be smartcard
> terminals. Ie, no old ones are supposed to remain.

Technology is cheaper. It is easier to force it down the throats of
merchants. Although I do not know how much of the cost is supported
by merchants in Canada.


--Thomas Pornin
From: Simon Johnson on 16 Apr 2010 11:44
> To go completely to triple-DES, tens of
> millions of those things would have had to be taken out of service or
> replaced, and it wouldn't surprise me if some of them are still being
> supported.

It always surprised me that people went down the triple-DES route.
DESX was three times faster and improved the security properties of
the underlying cipher [1].

I find it hard to believe that hardware that contained DES did not
also contain a XOR instruction.

Does anyone know why people went for triple DES over DESX?

Cheers,

Simon

[1] - For those who don't know what DESX is, see the following page:
http://en.wikipedia.org/wiki/DESX
From: Maaartin on 16 Apr 2010 13:07
On Apr 16, 5:44 pm, Simon Johnson <simon.john...(a)gmail.com> wrote:
> It always surprised me that people went down the triple-DES route.
> DESX was three times faster and improved the security properties of
> the underlying cipher [1].
>
> I find it hard to believe that hardware that contained DES did not
> also contain a XOR instruction.
>
> Does anyone know why people went for triple DES over DESX?

Some time ago I had a similar question:
> I wonder if it combining the whitening idea with 2DES could not lead
> to stronger cipher than 3DES. The MITM attack makes no sense (because
> of the large keyspace) for something like
>
> ciphertext = DES(k2, (DES(k1, plaintext+k1') + k2') + k3'

and received the answer:
> ... Perhaps Triple DES was the more conservative
> choice -- they may not have completely trusted the security of that
> new-fangled whitening concept when it first came out. Also, there may
> have been compatibility issues -- Triple DES can be made compatible
> with single DES just by using the same key for each call to the cipher
> (because of the decrypt step in the middle). Double DES-X, as you
> describe it, might be harder to make inter-compatible with single DES.

Of course, DES-X can be make compatible with DES, so only the distrust
to the new whitening concept remains.
From: Paul Rubin on 16 Apr 2010 12:50
Simon Johnson <simon.johnson(a)gmail.com> writes:
> I find it hard to believe that hardware that contained DES did not
> also contain a XOR instruction.

One possibility is that the hardware used mask ROM and could not be
reprogrammed, whether or not it had an XOR instruction.

> Does anyone know why people went for triple DES over DESX?

DESX fixes DES's small-keyspace problem but is presumably still subject
to other attacks (linear cryptanalysis etc) to the same extent as single
DES.

I don't think encryption speed was an issue in that application. 3DES
was the conservative and standardized choice.
From: Scott Fluhrer on 16 Apr 2010 14:18

"Simon Johnson" <simon.johnson(a)gmail.com> wrote in message
news:cf07d517-428d-4a2e-a2c8-ece6c880e202(a)5g2000yqj.googlegroups.com...
>> To go completely to triple-DES, tens of
>> millions of those things would have had to be taken out of service or
>> replaced, and it wouldn't surprise me if some of them are still being
>> supported.
>
> It always surprised me that people went down the triple-DES route.
> DESX was three times faster and improved the security properties of
> the underlying cipher [1].
>
> I find it hard to believe that hardware that contained DES did not
> also contain a XOR instruction.
>
> Does anyone know why people went for triple DES over DESX?

The other issue is that FIPS approved 3DES and not DESX. Quite a number of
people (especially in the financial industry) consider government
endorsement quite important (possibly because of blame management; if you're
a finanical IT guy, and you advocate 3DES and it gets broken, you can always
say 'I'm not at fault, the government said it was safe'. You have no such
fallback with DESX).

--
poncho


First  |  Prev  | 
Pages: 1 2
Prev: HTTP and HTTPS sessions question
Next: why does PKCS#1 use the LCM instead of Euler's totient function?