In message <[EMAIL PROTECTED]>, John Gilmore writes:
>> You are saying that some guy in his basement can break DES?
>
>Hmm, works in my basement... :-)
>
>If ordinary everyday hackers can remotely command tens of thousands
>of machines to do distributed denial of service attacks, why can't
>they crack DES keys?
They probably can crack a few -- but unless it's a key encryption key
or the attackers *know* exactly which sessions have the data of
interest, they probably won't get much interestin gstuff.
>Providing 3DES doesn't cost any more than providing DES. CPU cycles
>are cheap and depreciating rapidly. But it provides much better security.
Agreed.
>> I am not excusing MS; their flaw was misleading the user. Their real mistake
>> is that the item should have been labeled '3-DES or DES (export friendly)'.
>
>Well, no. It should tell you what the system really does. It should
>have been labeled "DES". The 3DES option should be labeled "3DES". I
>know that's a little esoteric for your average programmer, tech
>writer, manager, or spook to understand, but security is not for wimps.
Yes -- this is the real flaw, that the system lies to its users.
>
>By the time Microsoft shipped win2000, of course, there were no laws
>that would keep it from using 3DES where it was using DES. They have no
>'export control' excuse.
Sorry; that's not fair. Release engineering isn't for wimps,
either. You *don't* add a new module to a release at the last second,
even if it *should* be a harmless change. (If, through some mischance,
adding 3DES to the default distribution accidentally disabled any
encryption at all, people on this list would be the first to cry
"Conspiracy!" But as any reader of RISKS knows, inadvertent failures
far outnumber real attacks. (And if you don't understand that, you
shouldn't be writing security software, either. Bugs are *far* more
important as a source of computer security problems than is weaker crypto.
To see what I mean, note that the two most recent CERT advisories
concern buggy crypto modules, and ask yourself how using triple AES
would have helped.))
Hmm -- this suggests an interesting experiment. In support of this
design decision, Microsoft had to add some extra code to their IPsec
module, code that will fall back to single DES in a context where it
would otherwise not have done so. I wonder if, due to bugs, there are
other, inadvertent substitutions possible. Does the code special-case
DES and 3DES? How is it implemented? An extra offer in the IKE
negotiation? What if the other side offers only a 40-bit cipher? Will
it fall *up* to DES? I wonder what bugs this might have introduced.
--Steve Bellovin
