On Mon, 14 Oct 2002 Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
On Mon, 14 Oct 2002 12:32:23 EDT, Joe Baptista said:
You mentioned two security protocols above - well they have proven to be
vulnerable.
http://search.cert.org/query.html?col=allcert&col=certadv&col=incnotes&col=research&col=secimp&col=techtips&col=trandedu&col=vulnotes&ht=0&qp=&qt=KDC&qs=&qc=&pw=100%25&ws=1&la=en&qm=0&st=1&nh=25&lk=1&rf=2&rq=0&si=1
http://search.cert.org/query.html?rq=0&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&col=allcert&col=trandedu&col=vulnotes&col=techtips&col=research&col=certadv&col=incnotes&col=secimp&qt=kerberos
And your point is?
there is no protocol ever developed that can not be compromised. and if
one exists please let me know.
Thats exactly my point. I have yet to see anything that can't be
compromised.
I am afraid that if you're waiting for "can't be compromised", you are in
for a VERY long wait. Serious security professionals know that anything CAN
be compromised - the requirement is that it be merely secure enough to deter
an attacker. For instance, a GSA Class 5 cabinet or vault is rated to
exactly. anything can be compromised. like i said it in the article -
security is more an act of faith. the best we can do is hope for the best
and be positive.
He means that v4 versus v6 won't matter a hill of beans to Carnivore,
what will matter to its data gathering is whether IPSec or other suitable
crypto is used *on top of* the v4/v6 connection.
ok i agree with that.
OK. I'll grant you that. However, I suggest you look at the amount of
resources needed to actually brute-force decrypt an IPSec connection
when using the recommended algorithms and key lengths - and then ask yourself
whether your threat model includes that scale attack (hint - 3DES isn't twice
as hard to break as single-DES, it's 2^56 or 72,057,594,037,927,936 times
harder. Now, if the EFF DES-breaker cost $250K, you'll need that many of
them - which is well over the US GNP. Which three-letter-agency wants to
spend that much on you, and if it's THAT important, why won't they just
engage in what Marcus Ranum calls "rubber hose cryptography"?
I don't think we have any dispute here. I don't have the budget to do it
- but others on this pretty blue plant do.
and thanks for the reading recommendation.
regards
joe baptista