Development of good cryptographic protocols is a different matter. Unfortunately good protocols are closely tied to the applications they serve. This makes it harder to deploy them widely and defray costs. For this reason the weakest component of most cryptographic systems is the protocol. It is not surprising that the money mill exploited a weakness in X9.17 and not a weakness in DES. DES has been submitted to more extensive analysis and has been field tested in far more systems than has X9.17.
The solution is two-fold. First, a basic level of protection should be built into infra-structure. There is no reason why we, as consumers, should accept insecure digital communications. Every cordless phone and cell phone should support encryption. The Internet should have strong authentication and privacy. Phone cloning and eavesdropping are preventable. IP spoofing is preventable.
It is absurd for phone companies to spend millions to monitor cell-phone traffic and discontinue accounts with sharp changes in calling patterns. It would be far better to spend less and actually solve the problem.
Second, we must recognize that the supply of cryptographic products is market driven. Until consumers recognize the need for better protection, and until consumers learn to distinguish true protection from the silly platitudes of companies like Pseudo-One, we will continue to get the same slip-shod systems. It is time to start paying the developers and stop paying the insurance companies and those in the legal or law enforcement professions. The tools and technology are available to prevent hacking; let’s start using them. No longer must be live with the threat of another money mill or a disaster of the magnitude of Weld’s hypothetical scenario. Internet E-mail can be elevated to a status better than that of a simple postcard. We should not have to change cell-phone numbers every few months.
To use strong encryption we have to be willing to pay for it. The principal cost is protocol development and protocol analysis. Excellent encryption programs are cheap (even free) and readily available, but current market research leads all but a few companies to opt for off-the-shelf solutions that either use a protocol originally intended for some other purpose, or else use a half-baked protocol developed by novices. Due to the extreme sensitivity of security properties in cryptographic protocols, a solid off-the-shelf cryptographic protocol is very nearly a contradiction in terms. The money spent on development of a security protocol should be proportional to the size of the threat. Lisa, Rudy, and I were able to detect the mill in a week. With the help of the NSA, the FBI, and the Information Security departments of two banks, we were able to crack the case and arrest Ignassi in less than a month. This is good evidence that the X9.17 flaw that made the mill possible was avoidable. In one night of analysis I discovered the flaw. Had the ABA recognized that protocols are the single most likely point of failure in a cryptographic system, and had they put an appropriate emphasis (e.g. time and money) into design and analysis of X9.17, then the flaw would have been discovered early on and it would have been repaired before any thefts were carried out. Our banking infra-structure was on the brink of collapse not because the flaw was too subtle to be found ahead of time, but because those in a position to do so did not appreciate the likelihood that such a flaw might be there to be found. I have no doubt that next time they will be more careful.
Even after it is repaired, it is important to recognize that X9.17, like any cryptographic protocol, is very sensitive to the trust model and the operating environment. X9.17 was designed for wholesale banking. Using it for any other purpose requires careful analysis to validate it for the new purpose. If X9.17 is used in an environment where there is open hostility between some members of the network, the flaw that made the money mill possible becomes even more ominous. The design specifications for X9.17 state that key exchanges between parties A and B should be protected from tampering and eavesdropping by C, even if C is a legitimate member of the network. Because of the flaw, this property does not hold. Luckily, the protocol appears to protect key exchanges from entities outside the network (i.e. you and me). Susan Ignassi was an insider and already had legitimate access to the master key for one bank in the network.
I am troubled when I see a protocol that was designed for one purpose being deployed for an entirely different application. The 1992 NIST recommendation that X9.17 be used for all government applications is unwise. Such recommendations should be made only after a very careful study of the protocol… the sort of study that surely would have uncovered the money mill flaw. The use of X9.17 in DES modems is questionable for the same reasons. The argument that “it is good enough for banking applications so it must be good enough for your applications” does not hold water. With such careless attitudes we were lucky the mill had not been even more damaging. We are lucky that Weld’s scenario remains hypothetical.
My attention returned to the meeting when somebody asked Samuelson what would become of Susan Ignassi. Samuelson explained to the audience that she would be fired for misconduct and accused of international banking crimes. The FBI was seeking, and expected to get, a plea-bargaining arrangement so that the case would not go to trial. Allowing the case to go to trial would make it difficult to suppress the extent of the EFT counterfeiting and the possibility of economic catastrophe that was very nearly realized by Ignassi’s crimes. The US government was unwilling to allow this to happen, and had the support of numerous other governments.