nanog mailing list archives
Re: ABOVE.NET SECURITY TRUTHS?
From: Deepak Jain <deepak () ai net>
Date: Fri, 28 Apr 2000 23:49:15 -0400 (EDT)
Why that whole song and dance? The idea is to approximate a cryptographic property known as "perfect forward secrecy". Perfect forward secrecy says that if, some time in the future, your machine is compromised, the enemy can't read past traffic. In this case, since that RSA key pair is discard hourly, and that is the only key that can decrypt the session key, our old traffic is protected. It's only readable if the machine is penetrated while that key is live.
Since we are going into a description of cryptography, we might as well bring up that since the random number generator used to generate the supposedly random RSA key pair _is_ predictable, the whole idea of perfect security is improbable at best; the exercise does make it difficult for people with only a casual interest in your operations to directly compromise them. For those who are paranoid about their serial cables traversing shared trunk space, there are inline 3DES (and other algorithm) serial line encryptors that will effectively mask your traffic if you are worried about direct (conductive) or indirect (inductive) tapping. When deciding on how much energy and effort one wants to spend on securing a network, especially if one doesn't want to actually learn the underlying technology (and who would?), it helps to identify the enemy. Is it a foreign government or just a 12 year old? If its the former, you shouldn't be in public colo space (at the very least) and if its the latter, how is he getting into the colo in the first place? Deepak Jain AiNET
Current thread:
- RE: ABOVE.NET SECURITY TRUTHS?, (continued)
- RE: ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Christopher B. Zydel (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Dave Crocker (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Henry R. Linneweh (Apr 29)
- RE: ABOVE.NET SECURITY TRUTHS? Bandy Rush (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? John Fraizer (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Steven M. Bellovin (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Paul Ferguson (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Kevin Oberman (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Deepak Jain (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Joshua Goodall (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Deepak Jain (Apr 29)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Paul Ferguson (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 29)
- RE: ABOVE.NET SECURITY TRUTHS? Deepak Jain (Apr 29)
- RE: ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Austin Schutz (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Michael Shields (Apr 29)