LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

they use a non-standard encryption algorithm, so what?

they use a non-standard encryption algorithm, so what?

Posted Jan 26, 2007 21:30 UTC (Fri) by Los__D (subscriber, #15263)
In reply to: they use a non-standard encryption algorithm, so what? by stevenj
Parent article: The cost of monoculture (Gen Kanai)

It's bank software, it's probably both near-impossible and highly illegal to "spoof"...

(Log in to post comments)

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 1:21 UTC (Sat) by stevenj (guest, #421) [Link]

Why? I'm not suggesting hacking into the bank, or running anything on the bank's computers. Everything is on the client side; it's just a matter of talking to the bank computers using the correct protocol.

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 1:30 UTC (Sat) by Los__D (subscriber, #15263) [Link]

AFAIK (I'm no expert though), ActiveX objects are signed, so that you can't spoof them (to the client). Banks would probably use the same technique the other way around, so that they know the object is really theirs. Breaking that would probably be very hard, and legally amount to hacking. In the US at least it would be a DMCA violation, here in Denmark, and most of EU, we have something similar,

I have no idea what the rules are in South Korea, but I have this feeling, you know ;)

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 3:31 UTC (Sat) by stevenj (guest, #421) [Link]

Signing an ActiveX object can only authenticate it to the client, not to the server, since it is not running on the server. The only way the server could use digital signatures to force a specific client binary, as opposed to specific client algorithms, would maybe be to use some sort of "trusted computing" where the client doesn't control their own hardware, and even that is dicey. Think about it.

they use a non-standard encryption algorithm, so what?

Posted Jan 27, 2007 10:10 UTC (Sat) by Los__D (subscriber, #15263) [Link]

Hmmmm, maybe you are right, unless there's a way to hide a key inside the ActiveX object, to encrypt the messages to the bank (on top of the SEED).

And they probably doesn't care THAT much, as long as the server can authenticate the user, then I guess it's all good.

they use a non-standard encryption algorithm, so what?

Posted Jan 28, 2007 9:15 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

Sure, doing what you propose is...

* Possible, but...
* Difficult and thus expensive/ time consuming, perhaps hundreds of man months of labour to achieve nothing of consequence because it is...
* Fragile, since the non-standard higher level protocols can be changed at any time and for any reason by the banks in their proprietary code, and..
* Most likely illegal or at least grounds for having your account frozen due to its potential to interfere with the normal operations of the bank

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds