Internet SecurityAn Oxymoron

Bedford, MA, Thursday, September 26, 2002 RSA Laboratories . . . announced that a coordinated team of computer programmers and enthusiasts, known as distributed.net, has solved the RC5-64 Secret-Key Challenge. The distributed.net team solved the challenge in approximately four years, using 331,252 volunteers and their machines.

Gee . . . it took four years and gazillion processor hours to find a 64-bit key to an encryption algorithm that was already known. The word is the key actually was discovered a few months ago, but the team didnt know it had cracked the nut (a 35-character plain text message). Could it be that we are getting a little obsessive about security? Is there any particular piece of information in your enterprise that would be of sufficient value to warrant that type of attack? OK, maybe senior managements unsecured loans and other perquisites need to be locked down that tight. Oops. Just kidding. In fact, most of us probably are using even stronger security than this. On our secure Web sites here at The National Underwriter Co., we use RC4 with 128-bit encryption. A 128-bit key means it is exponentially (adding 1 bit to the key doubles the number of possible keys) more difficult to crack than a 64-bit key using brute force. Maybe we need to step back and explore just what all this security is buying us.

Usually we discuss security from the end-user point of view: Is my credit card information safe? Is my personal financial data secure? These are all legitimate questions, and they have all been addressed and pretty much taken care of. HTTP using secure sockets and properly hardened Web and database servers provide reasonable security for user data. But now look at security from the server side. Who is that client banging on my box right now? Are they whom they claim to be? How can I really be sure the person on my Web site requesting a policy change is an authorized user?