RE: ABOVE.NET SECURITY TRUTHS?

["Roeland Meyer (E-mail)" <rmeyer () mhsc com>]

IMHO, this is a rathole. While the science behind the implementation of ecryption algorithms, in general, may be less 
than perfect. The engineering behind the implementation is "good enough", for various flavors of data usability 
persistance.

Encryption only has to protect its data for that time when the release of that data may be detrimental. The absolute 
best encryption methods only slow down the cracker.  But, that's all it has to do. At the moment, DES is crackable in 
about 12 hours (see: distributed.net and eff.org). Evenso, it is sufficient to protect data which only has a useful 
transient half-life of 3-6 hours, such as one-time pass codes. It is certainly  more secure than plain-text. Sessions 
using passwds, that are changed weekly, or even monthly, are certainly well protected by SSH1. Likewise, most session 
management packets, scripts, and configuration commands, are not useful data beyond a few weeks. The Data gets stale. 
OTOH, CC numbers are good for years (until the expiration date) and must be better protected. But its shelf-life is 
still finite.

ie: I don't care if anyone knows the password that I used last Monday, because I've changed it three times since then. 
Likewise, if someone can crack my cyper-text 200 years from now, I will most likely be beyond careing, at that 
time<grin>. 



> From: Deepak Jain [mailto:deepak () ai net]
> Sent: Saturday, April 29, 2000 1:16 PM

> > This statement is a litle too broad. I would contest that 
> the design of,
> > say, FreeBSD's /dev/random permits sufficient entropy collection to
> > usefully initialise a strong hashing algorithm with a 
> non-predictable
> > vector. 
>
> Okay, you know where I was going. Simple question - where are you
> finding entropy in a FreeBSD machine? (sufficient being a 
> very relative
> term)
>
> Not intending to scare anyone.