Full Disclosure mailing list archives
RE: [inbox] Re: Cisco LEAP exploit tool...
From: "Ng, Kenneth (US)" <kenng () kpmg com>
Date: Wed, 14 Apr 2004 12:25:08 -0500
Depends on what kind of break you want. If you want to break into the connection (ala add/modify/delete traffic in real time), yes a 10 minute cycle time makes it difficult. If all you want is the data afterwards (ie: see the login id and password), then all the 10 minute cycle time does is force you to do multiple breaks. But, the login and password are almost always in the start of a connection, so that is all you need to break. Outside of quantum crypto and one time keys, nothing is unbreakable. Its just a matter of time and resources. The tricks are to make them prohibitive, and make sure there is no back door like looking at power consumption. And I kind of wonder if there is anything in superstring theory that could cause problems with quantum crypto. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Dave Howe Sent: Wednesday, April 14, 2004 11:19 AM To: Email List: Full Disclosure Subject: Re: [inbox] Re: [Full-disclosure] Cisco LEAP exploit tool... Curt Purdy wrote:
Agreed. If the packets/hashes can be accessed it can be compromised. "Unbreakable" has been touted from the 48-bit Netscape encryption that took USC's distributed network a week to crack, to Oracle 9i that took one day to compromise, I believe.
You are preaching to the choir there - however, my boss is preferring to believe the consultant's claims that the 10 minute key cycle (communicated by TLS) makes the system unbreakable.... so it doesn't need to be on a DMZ and can work "just like they were on the lan" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: Cisco LEAP exploit tool... Ng, Kenneth (US) (Apr 14)