Australia's financial and retail institutions are upgrading the EFTPOS (Electronic Funds Transfer at Point Of Sale) network recognising that the brute strength of computers today can be used to successfully break the single-length key (56-bit) encryption currently used for online transactions.
The massive upgrade to double-length key (112-bit) DES (Data Encryption Standard), which is often referred as triple DES or 3DES, is being coordinated by the Australian Standards Committee (ASC).
SecureNet Ltd. product marketing manager and ASC member, Graham Dodson, said the current single-length key encryption can be cracked by brute force, but it would take a minimum of 14 hours. The emerging fear is of a 'real-time' attack, which, he says, is only three to four years away.
Dodson said 56-bit encryption has been secure to date. Banks are instigating a policy of rolling the keys used with every single transaction; this would mean a key is only ever used once (the policy is detailed in Australian Standards 2805.6.2).
"Triple DES will withstand foreseeable increased computing power and is part of an initiative being undertaken by financial institutions globally; but it cannot be done overnight," he said.
MasterCard has mandated the upgrade linking institutions be in place by March 31, 2003 and up to half a million EFTPOS terminals will be upgraded by the end of 2005.