Wednesday, August 3, 2011

DBS iBanking Weak Crypto

I noticed that DBS Bank uses the 3DES_EDE_CBC encryption algorithm for their Internet Banking web portal. 3DES / Triple DES / TDEA effectively only use a 112 bit key and this is a very weak key. 

3DES is simply three DES put together to lengthen it's key (Wikipedia). The EDE mode stands for Encrypt-Decrypt-Encrypt mode to be backwards compatible with systems only supporting normal DES. In the EDE mode, encryption would be done to the data, then the encrypted data would be decrypted again and finally encrypted one last time. This meant that the first encrypt and decrypt would simply be nothing as they already encrypted and decrypted each other. Only the final single encrypt had it's effect. Now, thinking back on EDE, isn't it as good as a DES (not 3DES) encryption since it is made compatible to normal DES but with probably a longer key only ?

Recently John the Ripper found a way to reduce the time taken to handle a DES encryption / decryption by 17% in their news email ( which meant that the time taken to crack DES would also be 17% shorter.

DES have been designated as a very weak encryption algorithm not good for protecting any sensitive information as it could be easily cracked with the computing powers of modern computers and improvement in the algorithm by the John the Ripper team.

All in all, 3DES is a weak encryption algorithm which can be fairly easy to crack and the 112 bits key length is rather short.

For a renown bank to use 112 bits 3DES_EDE_CBC is a very bad option simply for the weak algorithm, short key length and EDE mode. At least a 128 bit key length should be appropriate for basic security and for banking and financial institutions that require high security, a 256 bit key length is the least they could offer. An AES 256 bit algorithm for SSL is commonly in used these days and they are common. Camilla 256, IDEA, RC 4 and many other better algorithm than simply a weak 112 bits 3DES_EDE_CBC

Below is the screen shot image to proof my point.

At least use a stronger and more decent algorithm, DBS bank.

No comments: