[plug] Banks Online

Mike Holland myk at golden.wattle.id.au
Thu Jun 29 00:13:52 WST 2000


On 27 Jun 2000, Christian wrote:

> than trying to brute force even 40 bit SSL.  For example, the user is
> probably authenticated by their account number (relatively easily
> retrieved) and a small password/PIN.  In such a system the entropy
> involved in the shared secret being exchanged is very likely less than
> 20 bits.  Since the SSL doesn't authenticate the user (only the bank)
> this is the weak point in such a system.  In such a protocol only a fool
> would try to brute force the SSL.

Interesting. How is this?  Known plaintext wont let you crack 128-bit SSL,
will it? And you cant do a brute force attack on the PIN, because the bank
will lock the account after n errors. How does a 3rd party get the PIN
without breaking the SSL, or is there another way to fool the bank?

I dont know SSL, but guess that the browser generates a random 128bit
session key, and transmits it to the bank using the banks public key,
which in turn is authenticated by the verisign key built into the browser.
Close?

Mike Holland  <mike at golden.wattle.id.au>
                          --==--





More information about the plug mailing list