In message <[EMAIL PROTECTED]>, Eivind Eklund writes:
>On Sat, May 20, 2000 at 10:40:01AM -0700, David Honig wrote:
>> At 11:07 AM 5/20/00 -0400, Steven M. Bellovin wrote:
>> >concern buggy crypto modules, and ask yourself how using triple AES
>> >would have helped.))
>>
>> Was this a slip of th
At 11:07 AM 5/20/00 -0400, Steven M. Bellovin wrote:
>concern buggy crypto modules, and ask yourself how using triple AES
>would have helped.))
Was this a slip of the finger or are you proposing a 3x256-bit key
mode for the reeealy paranoid?
:-)
In message <[EMAIL PROTECTED]>, John Gilmore writes:
>> You are saying that some guy in his basement can break DES?
>
>Hmm, works in my basement... :-)
>
>If ordinary everyday hackers can remotely command tens of thousands
>of machines to do distributed denial of service attacks, why can't
>they
> You are saying that some guy in his basement can break DES?
Hmm, works in my basement... :-)
If ordinary everyday hackers can remotely command tens of thousands
of machines to do distributed denial of service attacks, why can't
they crack DES keys?
Providing 3DES doesn't cost any more than
At 02:25 PM 05/19/2000 -0400, Arnold G. Reinhold wrote:
> . But a cooperative relationship between Microsoft and NSA
>(or any vendor and their local signals security agency) can be more
>subtle. What if Microsoft agreed not to fix that bug? What if
>Microsoft gives NSA early access to sou
-BEGIN PGP SIGNED MESSAGE-
"L. Sassaman" wrote:
> On Wed, 17 May 2000, Dennis Glatting wrote:
>
> > > Frankly, I can't understand why the IPsec protocol still allows DES. It
> > > should require strong encryption. Having DES in a product these days
> > > makes about as much sense as mand
Someone made the comment in this thread (I can't seem to find it
again) that a bug in MS security that counts as a hole, not a
backdoor. But a cooperative relationship between Microsoft and NSA
(or any vendor and their local signals security agency) can be more
subtle. What if Microsoft agreed
In message <[EMAIL PROTECTED]>, Paul C
rowley writes:
>I'm guessing that they have to have a MUST cipher, and they don't want
>to change twice, so it makes sense to wait until September and then
>make AES (or AES primary) the only MUST cipher.
Correct.
--Steve Bellovin
At 12:56 AM 5/19/00 -0500, John Kelsey wrote:
>few thousand known plaintexts), that fact will be kept secret. Which
>means that they will have to be *very* careful making any use of
>information recovered from that break, to avoid leaking the fact that
>they can break it.
>- --John Kelsey, [EMAIL
Actually, the SAAG voted to drop DES from IPsec back in, oh, the
Minneapolis IETF in March '99 (IIRC). I think the problem is that
nobody has revved the IPsec docs.
-derek
Paul Crowley <[EMAIL PROTECTED]> writes:
> "L. Sassaman" <[EMAIL PROTECTED]> writes:
> > > > Frankly, I can't understand w
Paul Kierstead wrote:
>
> > Frankly, I can't understand why the IPsec protocol still
> > allows DES. It
> > should require strong encryption. Having DES in a product
> > these days makes
> > about as much sense as mandating the usage of ROT13.
>
> OK, so I want to prevent some regular, every-day
-BEGIN PGP SIGNED MESSAGE-
At 08:58 AM 5/18/00 -0400, Russell Nelson wrote:
>L. Sassaman writes:
> > PGP's source code has always been available for public review.
> > This has not changed. There are no "back doors" for the NSA in
> > PGP,
>
>Unless they are particularly subtle ones, bas
"L. Sassaman" <[EMAIL PROTECTED]> writes:
> > > Frankly, I can't understand why the IPsec protocol still allows DES.
> >
> > We are waiting for AES.
>
> So am I correct in assuming you are saying that DES will be disallowed as
> part of the IPsec protocol when AES is finalized?
>
> This would b
At 10:03 AM 5/18/00 -0400, Paul Kierstead wrote:
>OK, so I want to prevent some regular, every-day hackers from picking up my
>traffic. Or I just want reasonable protection for my passwords in Telnet or
>FTP. You are saying that some guy in his basement can break DES?
There's a lot of spare cycl
Will Price has made an exemplary statement on behalf of
PGP. It should be a model to match or beat by the other
producers. Any firm which does not come up to that level
with public statements should be noted widely as contributing
to distrust of US crypto products and policy.
Even so, the statem
> Frankly, I can't understand why the IPsec protocol still
> allows DES. It
> should require strong encryption. Having DES in a product
> these days makes
> about as much sense as mandating the usage of ROT13.
OK, so I want to prevent some regular, every-day hackers from picking up my
traffic. Or
"Will Price" <[EMAIL PROTECTED]> writes:
>So in any case, the issue was rapidly corrected, and within months of NAI
>purchasing TIS, TIS had killed all of its key recovery features, and the KRA
>membership had been cancelled.
There's a paper on adding GAK to IPSEC by someone from NAI in the GAK
> --
> From: L. Sassaman[SMTP:[EMAIL PROTECTED]]
> On Wed, 17 May 2000, John Young wrote:
>
> > While John may be speculating about NSA subversion of strong crypto,
> > specific examples of this would be very helpful. Here are a few firms
> > for consideration as candidates for
L. Sassaman writes:
> PGP's source code has always been available for public review. This has
> not changed. There are no "back doors" for the NSA in PGP,
Unless they are particularly subtle ones, based on a mathematical
understanding that is not yet publicly known. Remember that the NSA
knew
> I have no idea if the KRA is still in business, and, as an employee of
> NAI, I don't really care. It doesn't affect me.
>
> Strong crypto is available. There is nothing that the NSA can do about
> that. If they are smart, they have concentrated their efforts on breaking
> RSA, Diffie-Hellman
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
PGP, Inc. and many other security companies were purchased by Network
Associates in 1997/98. PGP, Inc. was (and still is) one of the
standard bearers for anti-key-recovery solutions including pioneering
the methods for publication of scannable source
Declan writes:
> Their beef: If two Windows 2000 computers without triple-DES are
> talking and the system administrator has configured triple-DES-only
> links, only single-DES gets used. The only error shown is an invisible
> one -- in an audit log file -- so users may have a fals
"L. Sassaman" wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Wed, 17 May 2000, Dennis Glatting wrote:
>
> > > Frankly, I can't understand why the IPsec protocol still allows DES. It
> > > should require strong encryption. Having DES in a product these days makes
> > > about a
"L. Sassaman" wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Wed, 17 May 2000, Dennis Glatting wrote:
>
> > Who's PGP? Last I looked PGP Inc. was owned by Network Associates, a
> > key recovery alliance member.
>
> Huh? PGP, Inc., is a business unit of NAI.
>
> NAI is not p
> Who's PGP? Last I looked PGP Inc. was owned by Network Associates, a
> key recovery alliance member.
>
Is the KRA still in business? They own kra.org, which according
to whois appears to have been renewed last month, but http://www.kra.org
seems to be neglected, returning a "403 Forbidden" er
"L. Sassaman" wrote:
>
> PGP's source code has always been available for public review. This has
> not changed. There are no "back doors" for the NSA in PGP, and PGP has
> never supported weak (under 128 bit) encryption, and never will.
>
Who's PGP? Last I looked PGP Inc. was owned by Network
"L. Sassaman" wrote:
>
> > If a Microsoft user configures 3DES protection and tries to connect it
> > a Linux FreeS/WAN box, the negotiation will fail -- with at least the
> > Linux side reporting that they couldn't agree.
>
> Frankly, I can't understand why the IPsec protocol still allows DES
A condom with an invisible hole is worse than no condom.
At 12:37 PM 5/17/00 -0500, John Kelsey wrote:
>Having some not-trivially-breakable crypto is better than
>nothing for preventing untargeted attacks, where someone's just
>looking at the traffic that goes by, checking for anything
>interest
-BEGIN PGP SIGNED MESSAGE-
At 02:41 AM 5/17/00 -0700, John Gilmore wrote:
...
>Microsoft didn't care
>about the actual security they provide their users ("Having at least
>some encryption is better than nothing" is wrong and dangerous,
>leading to a false sense of security when you are ac
John wrote:
> There have been allegations that NSA influenced Microsoft's encryption
> support (one reason that NSA could afford to relax export controls
> could be that they've already subverted the highest volume US
> products).
John Glimore wrote:
>
> There have been allegations that NSA inf
John Gilmore wrote:
>There have been allegations that NSA influenced Microsoft's encryption
>support (one reason that NSA could afford to relax export controls
>could be that they've already subverted the highest volume US
>products). It's pretty well acknowledged that NSA did this to Crypto
>AG
Declan, your story on Microsoft's IPSEC security missed the point.
Or rather, buried it in paragraph 8!
==> If you configure the machines to use 3DES, they will silently use DES.
That's the problem.
The Linux IPSEC software only supports 3DES. It does not support DES.
People complain about thi
32 matches
Mail list logo