REMOVE

[Venu Gopal Gandesiri <venu@stargateip.com>]

Bill Strahm wrote:

> WEPs problem was not a weakness in encryption security, heck the crypto is
> rock solid 128 bit used in every SSL connection on the internet (including
> all of your stock transactions, credit card transactions etc.).  Note that
> the cryptography is FINE.
>
> What was not fine was the system built around it, specifically, there was no
> rekeying algorithm (bad) and they deployed it in such a way that as soon as
> you saw a little over a million packets on the wire, it was broken by
> default.
>
> The next thing that tends to break crypto systems is random number
> generation, there were many hacks on Kerberos based on the usage of a
> timestamp to initialize the random number generator.
>
> The third thing that tends to break crypto systems is social engineering
> (Please give me your password tends to work about 25% of the time when
> random people start calling into your company claiming to be I.T.)
>
> WAY down the list is actually breaking the cipher...  Ok, given 100K and 22
> hours, I can break DES... However if my data is only worth 10K and I cange
> keys often, then this is acceptable.
>
> Again it is up to the administrator to determine what the acceptable
> crytography is.  Heck I use VERY good crypto, but then I have fast machines,
> and live in a country that lets me use it.  Until the IPsec WG removes DES
> as a MUST implement, I am sorry but it will be in every conforming IPsec
> implementation out there.
>
> Bill
> Sanera Systems Inc.
>
> -----Original Message-----
> From: Paul Koning [mailto:pkoning@jlc.net]
> Sent: Monday, September 10, 2001 10:50 AM
> To: bill@Sanera.net
> Cc: ips@ece.cmu.edu
> Subject: RE: iFCP: security position
>
> Excerpt of message (sent 7 September 2001) by Bill Strahm:
> > Why do you care how traffic is encrypted ???
> >
> > Would you rather see Clear traffic than DES traffic ?
>
> Yes, absolutely.
>
> That is because clear traffic does not mislead.  It is
> obviously not secure.  DES is sufficiently weak that encrypting with
> it could be viewed as a form of false advertising.
>
> This is also what is wrong with things like WEP -- these are systems
> that pretend to offer security but in fact do not.  And people defend
> them with similar arguments.  Or, for that matter, Fred Foobar's
> Famous Snake Oil encryption algorithm.  The problem in all these cases
> is that the appearance of crypto without the reality is much, much
> worse than the absence of crypto.  You should have either strong
> crypto, or none.  After all, strong crypto is readily available.
>
> DES shows up as mandatory in IPsec for reasons that were political, not
> technical, and that became obsolete several years ago.
>
>      paul

--
**********************************************************************
Dance like no one's watching, love like you've never been
hurt, sing like no one's listening, live like it's heaven
on earth.

 Happiness is a journey, not a destination.

                                VENU GOPAL GANDESIRI
                                Platys Communications Inc
                                3150 A Coronado Drive
                                SantaClara, CA, 95054
                                Phone # : 408-496-4435 (W)
                                Phone # : 408-243-4870 (H)



**********************************************************************


  This email and any files transmitted with it are confidential and are
intended solely for the use of the individual or entity to which they are
addressed. Access to this e-mail by anyone else is unauthorized. If you are
not the intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it, is prohibited.