 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
I'm just reading this:
http://www.sans.org/reading_room/whitepapers/vpns/1459.php
I few "interesting" things about this document. (E.g., there's a section
called "what the heck is IPSec?" That's very whitty, but I'm not sure
how seriously you should trust such a document...)
The basic premise seems to be that all VPN systems currently in
existence actually suck, except OpenVPN which is completely perfect. A
suspicious conclusion, obviously.
The document claims this is because "IPSec is too complicated to be
secure", and that "TSL is mature and battle-tested". It also asserts
that running software in user-space is inherantly better from a security
perspective. (While it *is* better, it's hardly the end of the story...)
The document seems to indicate that installing IPSec VPN software on
Windows is excrusiatingly difficult due to the built-in IPSec
functionallity Windows already has. (...is does??) For example,
"On Windows, OpenVPN installs just like any other program. It comes
bundled up as an executable and all you need to do it double click on
the installer. Total installation of the Windows client takes about 10
minutes including configuration. For anyone who has tried to configure
the builtin Windows IPSec client that should be impressive. For people
who have tried to install and configure third party IPSec clients, that
number should be shocking!"
Um... am I missing something? Installing Cisco's IPSec VPN involves...
double-clicking the installer. And that's it. What's so hard about that?
Also amusing is the statement "Blowfish is a very strong algorithm with
no known weaknesses. Its 128-bit key provides us with a large enough key
space to make brute force key attacks impossible in polynomial time."
Erm... like... WTF?
Still, I did learn one useful thing: Apparently the "route" command
exists on Windoze.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Weeeee....
http://eprint.iacr.org/2008/166.pdf
There's nothing like cryptanalysis to make you paranoid! ;-)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Ooo, shiny...
http://orion.math.iastate.edu/dept/thesisarchive/MS/EKleimanMSSS05.pdf
Anybody know what a "null space" is?
(Better yet - anybody know of a job where knowing this kind of thing is
actually an advantage?)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> The document claims this is because "IPSec is too complicated to be
> secure", and that "TSL is mature and battle-tested".
I like how they make this assertion, then later on say "you might need
the load balancing that IPsec does, but you can get that with OpenVPN by
running this other complicated program on a spare machine." It sounds
like a lot of the complication is stuff that OpenVPN basically leaves out.
Plus, I'm not really sure how they're running TLS over UDP, given that
TLS is stream-oriented and assumes reliable delivery. It's also not real
obvious from their descriptions that it's possible to run a UDP protocol
over OpenVPN.
> Um... am I missing something? Installing Cisco's IPSec VPN involves...
> double-clicking the installer. And that's it. What's so hard about that?
Ditto.
> Also amusing is the statement "Blowfish is a very strong algorithm with
> no known weaknesses. Its 128-bit key provides us with a large enough key
> space to make brute force key attacks impossible in polynomial time."
> Erm... like... WTF?
Of course, it hasn't been tested as furiously as AES, either.
> Still, I did learn one useful thing: Apparently the "route" command
> exists on Windoze.
Yup.
http://technet2.microsoft.com/WindowsServer/en/library/552ed70a-208d-48c4-8da8-2e27b530eac71033.mspx?mfr=true
Might be worth reading thru the list so you know what's available.
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> The document claims this is because "IPSec is too complicated to be
>> secure", and that "TSL is mature and battle-tested".
>
> I like how they make this assertion, then later on say "you might need
> the load balancing that IPsec does, but you can get that with OpenVPN by
> running this other complicated program on a spare machine." It sounds
> like a lot of the complication is stuff that OpenVPN basically leaves out.
Well, is that a protocol feature or a software feature?
> Plus, I'm not really sure how they're running TLS over UDP, given that
> TLS is stream-oriented and assumes reliable delivery. It's also not real
> obvious from their descriptions that it's possible to run a UDP protocol
> over OpenVPN.
Hmm, that's a good point.
>> Also amusing is the statement "Blowfish is a very strong algorithm
>> with no known weaknesses. Its 128-bit key provides us with a large
>> enough key space to make brute force key attacks impossible in
>> polynomial time." Erm... like... WTF?
>
> Of course, it hasn't been tested as furiously as AES, either.
I was more amused by the statement that key size has any relationship to
complexity class.
Blowfish is far more popular than, say, TEA or SQUARE or any number of
other ciphers from the zoo of less-known algorithms out there. I note
however that Blowfish has been "replaced" by Twofish which is meant to
be stronger. (And AES finalist, I believe.)
A lot of people are apparently jumpy about the whole XSL attack thing on
AES.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
>>> The document claims this is because "IPSec is too complicated to be
>>> secure", and that "TSL is mature and battle-tested".
>>
>> I like how they make this assertion, then later on say "you might need
>> the load balancing that IPsec does, but you can get that with OpenVPN
>> by running this other complicated program on a spare machine." It
>> sounds like a lot of the complication is stuff that OpenVPN basically
>> leaves out.
>
> Well, is that a protocol feature or a software feature?
I'm saying that they mock IPsec for solving problems *they* don't have,
because it was "designed by a committee". I suspect the people on the
"committee" actually *did* have those problems, so incorporated
solutions to them into the standard, instead of making everyone solve it
themselves with ad hoc solutions consisting of interacting layers which
could easily introduce a security hole if you don't know what you're doing.
> I was more amused by the statement that key size has any relationship to
> complexity class.
Yes, I understood the WTF. :-) Of course, if it's running over TLS, you
can put whatever cipher both sides agree on in there.
And actually, key size *can* have a relationship to complexity class,
perhaps. If you can pre-compute something that lets you look up in
polynomial time the key that someone is using, except that the key is
too long to store the precomputed somethings for every key, I can see
where that can happen. (Technically, the same complexity class, but in
practice, you can break something in polynomial time if you discount the
precomputation, perhaps.)
But yeah, the whole discussion was full of WTFs like that. Plus, they
say basically "IPSec is too complicated to deploy, OpenVPN does the same
thing only its easy to deploy", without giving any evidence at all of
either. Most of the paper is a description of SSL, and I'm pretty sure
there aren't fundamental security problems with IPSec that aren't in SSL.
(And apparently the authors don't know that actual difference between
SSL and TLS. Hint: OpenVPN seems to use SSL.)
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> But yeah, the whole discussion was full of WTFs like that. Plus, they
> say basically "IPSec is too complicated to deploy, OpenVPN does the same
> thing only its easy to deploy", without giving any evidence at all of
> either. Most of the paper is a description of SSL, and I'm pretty sure
> there aren't fundamental security problems with IPSec that aren't in SSL.
>
> (And apparently the authors don't know that actual difference between
> SSL and TLS. Hint: OpenVPN seems to use SSL.)
Hmm. I just wanted to know whether this piece of software was worth using.
I think I have my answer now...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Hmm. I just wanted to know whether this piece of software was worth using.
> I think I have my answer now...
Oh. I imagine if it solves the problem you have, it's probably worth
using, assuming you can get it working and it's sufficiently widespread
you trust it.
That the people writing the *paper* didn't write it in a convincing way
doesn't really say much about the *code*.
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> Weeeee....
>
> http://eprint.iacr.org/2008/166.pdf
>
> There's nothing like cryptanalysis to make you paranoid! ;-)
>
It lead to a discussion in parliament here and a bad time for one of our
ministers. Introduction of the country-wide OV chipcard (OV is the
abbreviation for public transport) is postponed now.
At the last election in some cities voting was done again by paper and
red pencil because somebody showed that you could listen to what people
voted by putting a radio receiver close to it and a few more
insecurities of the digital voting machines.
What these examples have in common is that they were badly designed and
they relied on people not knowing the details as an important security
measure. The latter is of course an absolute sin in cryptography, but
apparently not (yet) when designing voting equipment or identification
cards.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
andrel wrote:
> What these examples have in common is that they were badly designed and
> they relied on people not knowing the details as an important security
> measure. The latter is of course an absolute sin in cryptography, but
> apparently not (yet) when designing voting equipment or identification
> cards.
Security through obscurity = hmm, it doesn't work. ;-)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
