Results 1 to 10 of 10

Thread: Online Banking?

  1. #1
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Online Banking?

    I need some knowledgable entity to explain some of the finer points of this. It's my understanding that a secure online transaction works something like this:

    Customer browser C requests secure session with bank server B.
    B tells C to generate a random session key K e.g. 128 bits.
    B tells C to encrypt K with B's (long) public key and send to B.
    Both parties now have the symmetric cipher session key and go ahead with the transaction.

    This sounds OK because an evesdropper E could not conceivably discover K when it is transferred. The reason for a relatively short session key is presumably in the interests of faster/ easier processing. During the session time it is also inconceivable for E to brute-force crack K. Now here's my BUT... It may be possible for E to capture the entire session packet stream. Given the time and computing power, well after the session has finished, E might be able to brute-force crack K. E would then have a plaintext transcript of the session, including C's account numbers, passwords, grandmother's middle name etc.

    I don't think this security hole exists in practice (I hope not!) so what am I missing here?

    Alan

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Online Banking?

    <P ID="edit" class=small>(Edited by jscher2000 on 11-Feb-08 16:10. )</P>Since Bank's public key is known to all, neither the session key nor anything else can be protected by encrypting it only by the Bank's public key. This page has a description of the key exchange part of the process, but I haven't studied it closely enough to see whether it explains how that problem is avoided: http://www.ourshop.com/resources/ssl_step3.html.

    With respect to capturing the session for later cracking, that is theoretically possible. This is why it is a good idea to change passwords every so often. It's not so easy to change personally identifying information, however...

    Added: This description is a little better: http://luxsci.com/info/about_ssl.html

  3. #3
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Online Banking?

    Thanks, I had a read through that but it didn't really answer it.

    > Since Bank's public key is known to all, neither the session key nor anything else can be protected by encrypting it only by the Bank's public key.

    I should have qualified this. I believe that the session key exchange is done using assymmetric encryption protocols/ algorithms (a la PGP) so that nobody but B (who has the private key) could decrypt the initial exchange of the session key. Indeed, this seems to be the most secure aspect of the transaction, since B's key pair will be (relatively) very long e.g. 4096 bits. To actually brute-force crack that part of the transaction would probably be one of those "next ice age" or "longer than the age of the universe" -type timeframes. <img src=/S/grin.gif border=0 alt=grin width=15 height=15> The actual (exchanged) session key, used with a symmetric cipher throughout the "guts" of the session, is much smaller e.g. 128 bits and conceivably much more "crackable" after the event. Still <img src=/S/confused.gif border=0 alt=confused width=15 height=20> about this.

    Alan

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Online Banking?

    A 128-bit key with a sturdy symmetric encryption algorithm is huge. You may well change banks before it is cracked. <img src=/S/smile.gif border=0 alt=smile width=15 height=15> (This Wikipedia article suggests that it might take longer than the age of the universe.)

    On the other hand, because Bank probably serves a lot of standard content -- for example, an HTML page that has a large standard menu system that downloads before your personal data -- a determined attacker who is able to study his or her own banking sessions in detail could focus the decryption effort on just a few packets consisting largely of known plaintext. This would be a big leg up in the process, but I don't know how to estimate the reduction in time required to crack the key under those circumstances.

  5. #5
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Online Banking?

    OK, panic allayed! Obviously I was under the misimpression that 128 bit was in the realms of "practically crackable", whereas the article suggests otherwise. I was thinking in terms of the 56 bit DES crackability some years back. I thought by now that 128 bit might be considered a bit weak, but obviously not... not until I get to upgrade my system of course <img src=/S/grin.gif border=0 alt=grin width=15 height=15>.

    Alan

  6. #6
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Online Banking?

    Alan,

    I think the main confusion here is between Public Key and Secret Key encryption algorithms.
    <UL><LI>Secret Keys are great for encrypting lots of data fast. They can be relatively short. You have to find a way to exchange them that ensures the key isn't compromised.
    <LI>Public Keys rely on the fact that it is very difficult to factorise a large number that is the product of two primes. They have to be very long to be effective. You can publish your Public key and any one can use it to encrypt stuff that only you can read. They are great for encrypting relatively small amounts of data - such as a secret key.[/list]StuartR CISSP

  7. #7
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Online Banking?

    <img src=/S/yep.gif border=0 alt=yep width=15 height=15> I know the difference between the two methods, but it was the relatively short length of the secret key (c.f. a typical public key) that was worrying me. Jefferson's reference indicates that 128 bits is obviously sufficient.

    Alan

  8. #8
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Online Banking?

    > On the other hand, because Bank probably serves a lot of standard content -- for example, an HTML page that has a large standard menu system that downloads before your personal data -- a determined attacker who is able to study his or her own banking sessions in detail could focus the decryption effort on just a few packets consisting largely of known plaintext. This would be a big leg up in the process, but I don't know how to estimate the reduction in time required to crack the key under those circumstances.

    I don't think this represents a vulnerability here. All of this identical plaintext content would be served up using the randomly generated secret key, which changes for each session. The only key that remains a constant is the bank's public key, which is used only briefly in each session for the transmission of different plaintext (random secret key) at the start of each session.

    Alan

  9. #9
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Online Banking?

    People who analyse how to break encryption keys use a number of approaches. One of these is a known plaintext attack. If you have both the unencrypted (plaintext) and the encrypted version of something then this allows you to use mathematical approaches that wouldn't otherwise be available.

    Although this would only allow you to crack the secret key for that one session - this secret key may have been used to encrypt sensitive information such as your username and password.

    StuartR

  10. #10
    Platinum Lounger
    Join Date
    Nov 2001
    Location
    Melbourne, Victoria, Australia
    Posts
    5,016
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Online Banking?

    You may well be right, but to an armchair cryptologist like me, it's not at all obvious. The (probably simplistic) way I see it is that the secret key algorithm is known, the plaintext is known but each version of the cryptotext corresponds to a different, unknown, random secret key. There appears to be nothing to work with. Then again, I seem to recall Bletchley Park making significant progress on Enigma under a similar scenario... lots of "Alles Gute zum Geburtstag mein Führer" or something similar.

    Alan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •