[FYI] Did Encryption Empower These Terrorists?

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Mon Sep 17 22:21:24 EDT 2001


we were somewhat involved in the implementation of support of commerce
server and hiding account numbers using SSL encryption (probably one of the
most wide-spread use of the technology in the world today).

random refs:
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3

The problems, of course are 1) account numbers are essentially shared
secrets, 2) SSL only provides for protection for numbers in flight, 3) the
numbers at rest remain a major exploit (as per press stories regarding
copying of account number master files at web servers) ... aka the use of
SSL/ecryption only addressed a small portion of the problem. The web server
account number master file also typicall represents a risk that is
significantly greater than what typical merchant otherwise has at risk ...
making it difficult to support a solution where the level of
security/protection is proportional to the risk

 http://www.garlic.com/~lynn/aepay7.htm#netbank2

note that the X9.59 financial standard for all account-based payments (by
the x9a10 financial standards body) ...  achieves the goal of protecting
both data at rest as well as the data in flight by defining transactions as
being authenticated with digital signatures (and that account numbers used
for x9.59 related transactions can not be used in unauthenticated
transactions). Furhtermore, since account numbers are no longer shared
secrets ... it isn't necessary to "hide" the transaction (with encryption)
in order to protect the account number. There may be other reasons for
using SSL encryption for data in flight ... but with x9.59, the primary
current use of SSL (protecting the account number in flight as part of
electronic commerce) is no longer necessary (and x9.59 is a much more
comprehensive, full spectrum solution ... because it not only addresses the
issue of data "in flight" ... but also problems with the data/numbers "at
rest").

numerous x9.59 references
http://www.garlic.com/~lynn/

some specific x9.59 references
http://www.garlic.com/~lynn/subtopic.html#privacy

some other discussions related to SSL domain name certificates:
http://www.garlic.com/~lynn/subtopic.html#sslcerts

digital commerce trivia question
http://www.garlic.com/~lynn/aadsmore.htm#dctriv




                                                                                              
                                  "Jim Windle"                                                
                    <jim_windle at eudoramail.com     To:      "Hadmut Danisch"                  
                                             >        <hadmut at danisch.de>                     
                                      Sent by:     cc:      cryptography at wasabisystems.com    
                    owner-cryptography at wasabis     Subject:      Re: [FYI] Did Encryption     
                                    ystems.com        Empower These Terrorists?               
                                                                                              
                                                                                              
                           09/17/2001 10:11 AM                                                
                             Please respond to                                                
                                    jim_windle                                                
                                                                                              
                                                                                              




On Mon, 17 Sep 2001 11:50:13   Hadmut Danisch wrote:
>
>Depends on which kind of logic you apply.
>
>Technical logic: Yes, you're right.
>
>Policital logic: No, you're wrong.
>
>The reason is, that air planes, phones, hotels, cars, etc.
>are used by common people - those who elect politicians -
>and therefore can't be bad by definition. Policital logic:
>What is used by most people who elected me, can't be wrong.
>Which politician would dare to ban hotels?
>
>In contrast to that, cryptography isn't commonly used or
>understood. From a public point of view, cryptography is
>something exotic, used by spys and secret agents, hackers,
>terrorists, who need to keep their business secret. And even
>worse: It's new (at least its civil use with internet). All
>other things exist for decades and have become part of
>normal life. Cryptography doesn't.

As Perry points out in his comment here and as I pointed out in my follow
up posts, crypto is not so exotic as it may first appear.  Not only is it
installed in browsers and used to buy books and whatever else people buy on
the internet while protecting their financial information; it plays and
essentianl role in the financial markets.  While this application may be
largely invisible to most people it is of tremendous importance.  You point
out that crypto is a "martial" technology, to some extend this is true, but
it is increasing used in commercial applications.  This uses are enabling
some of the most vibrant sectors of the economy that contribute greatly to
growth in GNP and productivity.  Radio and airplanes were primarrily
"martial" technologies in their early years, and yet have changed the face
of civilian life in subsequent years. Suppose non-military use of those
technologies had been banned at the beginning or World War I?  In the same
way the "martial" users of crypto were insensitive to cost and user
friendliness and were the early adapters.  As crypto becomes easier to use
and more available it will be used to facilitate the move of a large
percentage of commercial transactions to the internet to reduce costs, and
uses not even imagined now will likely be found and become ubiquitious.

Jim Windle
>
>Therefore cryptography is treated differently by political
>logic.
>
>[Moderator's note: Everyone who's got a copy of Netscape or IE has
>cryptographic software in their hands, and most of them have used it.
--Perry]
>
>
>
>And, beyond that, we have to keep in mind a certain detail:
>
>Air planes, telephones, hotel rooms, rental cars are "civil"
>equipment. In contrast to that, cryptography is a
>"martial art". It's history shows that it has been used for
>military purposes for centuries, but far less than a century for
>private purposes.
>
>Hadmut
>
>
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
>


Join 18 million Eudora users by signing up for a free Eudora Web-Mail
account at http://www.eudoramail.com



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list