Scriptme.net fresh news

Recent research on the security vulnerabilities of a new Dutch fare card system offers important lessons for computer security. The Dutch government spent $2 billion on the system, which has now been demonstrated to have fatal flaws. The researchers disassembled the smart cards used by the system and took high-resolution photographs of the circuitry. This allowed them to reverse-engineer the encryption algorithms being used by the system. As Felten points out, this wouldn't have been a problem if the Dutch had used an open crypto algorithm that has been widely tested and found to be secure. But because the system relied on algorithmic secrecy for security, this could be catastrophic. The algorithm uses a relatively short 48-bit key. This means that once the algorithm is known, it becomes possible to perform a brute-force attack, simply trying all 281 trillion possible keys in parallel until the correct one is found. That requires a non-trivial amount of computing power, but it's well within the capabilities of modern computer hardware. Indeed, this is precisely the approach taken by a Johns Hopkins research group three years ago when they cracked the encryption on the Exxon Mobil Speedpass, which used a 40-bit key. Brute forcing the 40-bit algorithm reportedly took the Hopkins team about 20 minutes, which suggests that -- even ignoring improvements in hardware -- it should be possible to brute force a 48-bit key in under a week. Since they're just deploying the system now and are presumably planning to use it for a decade or more, 48 bits is woefully inadequate. They ought to have used a standard, widely-tested cryptographic algorithm with a significantly longer key size, in order to make brute force attacks impractical.

Timothy Lee is an expert at the Techdirt Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

Permalink | Comments | Email This Story

Bodog Loses Another Round Of Patent Poker

Record Label Gives Fans A Reason To Buy

Books Are The Souvenir Edition For Your Idea

Apple Dumps Another Game For Being 'Too Similar' To Tetris

Dear Bands: No Matter How Much You Dislike John McCain, He Can Most Likely Use Your Song

NSA Abused Wiretap Rights: Intercepted, Shared Private Calls Of Americans

Patent Lawsuit Silly Season: TechCrunch Sued For Patent Infringement After Critical Blog Post

YouTube Taking Feature Advice From XKCD

American Citizen Detained At Border Due To Drawing Of An SUV

The Evolution Of The App Dock: Apple Didn't Invent It And Doesn't Deserve A Patent On It

Entellium Execs Simply Made Up Revenue

How Soon Until We Start Hearing Stories Of Twitter Criminals?

Can 'Pay What You Want' Work Outside Of The Music Industry?

Another YouTube Speeder Found Not Guilty Due To Lack Of Evidence

EFF Challenges Another Bogus Online Music Patent

Michael Moore Admits He Doesn't Care About International Downloads, But He Has To Pretend To

Congressional Hyperbole Used To Urge Bush To Accept A Copyright Czar

Why Did ISPs Take Down Ronald Riley's Sites?

Nobel Prize Winning Physicist Explains How Intellectual Property Damages Innovation

Can A Moron In A Hurry Tell The Difference Between A Nude Model And A Car?