----- Forwarded message from "James A. Donald" <[email protected]> -----
Date: Fri, 11 Oct 2013 07:41:56 +1000 From: "James A. Donald" <[email protected]> To: [email protected], Giles Coochey <[email protected]> Subject: Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: <[email protected]> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.0 On 2013-10-11 00:39, Eugen Leitl wrote: > ----- Forwarded message from Giles Coochey <[email protected]> ----- > 2. Cipher Selection - we're not all cryptoanalysts, so statements like > 'trust the math' don't always mean much to us, given the reports in > the media, what is considered a safe cypher? I recently switched from > AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 > to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800. > Could that be considered overkill? What Cipher's are others using? > Have any of you, who have been made recently aware of the media > coverage recently, also changed your cipher selection? What kind of > changes did you make? Overkill is a rational and appropriate response to recent revelations. NIST is actually out to get you, so you might as well put on a tinfoil hat to be on the safe side. Yes, there really is a gigantic government conspiracy, no kidding. While I am pretty sure AES and SHA 256 is perfectly safe, in view of recent events, I would follow the lead of the highly competent cryptographer Jon Callas, http://www.mail-archive.com/[email protected]/msg10926.html and use non NIST algorithms: Use Twofish in place of AES if convenient to do so, and Skein hash in place of SHA hash. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
