nanog mailing list archives
RE: ABOVE.NET SECURITY TRUTHS?
From: "Roeland Meyer (E-mail)" <rmeyer () mhsc com>
Date: Sat, 29 Apr 2000 14:06:29 -0700
IMHO, this is a rathole. While the science behind the implementation of ecryption algorithms, in general, may be less than perfect. The engineering behind the implementation is "good enough", for various flavors of data usability persistance. Encryption only has to protect its data for that time when the release of that data may be detrimental. The absolute best encryption methods only slow down the cracker. But, that's all it has to do. At the moment, DES is crackable in about 12 hours (see: distributed.net and eff.org). Evenso, it is sufficient to protect data which only has a useful transient half-life of 3-6 hours, such as one-time pass codes. It is certainly more secure than plain-text. Sessions using passwds, that are changed weekly, or even monthly, are certainly well protected by SSH1. Likewise, most session management packets, scripts, and configuration commands, are not useful data beyond a few weeks. The Data gets stale. OTOH, CC numbers are good for years (until the expiration date) and must be better protected. But its shelf-life is still finite. ie: I don't care if anyone knows the password that I used last Monday, because I've changed it three times since then. Likewise, if someone can crack my cyper-text 200 years from now, I will most likely be beyond careing, at that time<grin>.
From: Deepak Jain [mailto:deepak () ai net] Sent: Saturday, April 29, 2000 1:16 PM
This statement is a litle too broad. I would contest thatthe design of,say, FreeBSD's /dev/random permits sufficient entropy collection to usefully initialise a strong hashing algorithm with anon-predictablevector.Okay, you know where I was going. Simple question - where are you finding entropy in a FreeBSD machine? (sufficient being a very relative term) Not intending to scare anyone.
Current thread:
- Re: ABOVE.NET SECURITY TRUTHS?, (continued)
- Re: ABOVE.NET SECURITY TRUTHS? Dave Crocker (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Henry R. Linneweh (Apr 29)
- RE: ABOVE.NET SECURITY TRUTHS? Bandy Rush (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? John Fraizer (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Steven M. Bellovin (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Paul Ferguson (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Kevin Oberman (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Deepak Jain (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Joshua Goodall (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Deepak Jain (Apr 29)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Paul Ferguson (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 29)
- RE: ABOVE.NET SECURITY TRUTHS? Deepak Jain (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Austin Schutz (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Michael Shields (Apr 29)