Firewall Wizards mailing list archives
RE: FW: CISCO PIX Vulnerability
From: Hal <hal () mrj com>
Date: Wed, 17 Jun 1998 13:51:14 -0700
Are you seriously arguing for continuing to use weak crypto over better systems? Gosh, I thought only NSA people argued like that. ---------- From: Rick Smith[SMTP:rick_smith () securecomputing com] Sent: Wednesday, June 17, 1998 8:41 AM To: Adam Shostack; hal () mrj com Cc: firewall-wizards () nfr net Subject: Re: FW: CISCO PIX Vulnerability Adam Shostack's characterization of DES based products as "stupid" is important to examine, since DES is a mandatory part of all IPSEC implementations, and is currently the strongest product that some vendors can export. Blanket criticism of short key lengths may be a worthwhile exercise for crypto theoreticians, but it's misplaced when looking at the "big picture" of information security. Sites accept lots and lots of vulnerabilities that are far riskier than even 40 bit encryption. Let's face it -- lots of people HAVE defaced web sites, they HAVE sniffed reusable passwords, insiders HAVE stolen plaintext lists of credit card numbers, con artists HAVE tricked people out of their money on the Internet. On the other hand, there are NO reports of a criminal or competitor having ever mounted a brute force cracking attack on a commercial enterprise and caused it real damage. The fact that custom cracking machines *could* exist does not mean that there is an economic justification to cause them to exist. References to Morris, Sr., simply underline the difference between the NSA's attitude and the real world of commercial security (another interesting philosophical topic). Naturally people should use the longest crypto keys they can get, but it's not the only technical feature deters attacks. If a product with shorter keys protects just the right traffic and runs safely and reliably in other ways, then it might be a better choice. Many companies are better with their crufty old DES hardware and highly developed internal procedures than they'd be with the latest 128 bit VPN equipment and unfamiliar administrative procedures. Security systems WILL fail regardless of how long the key is. Sites can only expend finite resources, and they have to cover ALL the threats as best they can. Rick. smith () securecomputing com
Current thread:
- Re: CISCO PIX Vulnerability, (continued)
- Re: CISCO PIX Vulnerability lum (Jun 04)
- FW: CISCO PIX Vulnerability Hal (Jun 15)
- Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 16)
- Re: FW: CISCO PIX Vulnerability Rick Smith (Jun 17)
- Re: FW: CISCO PIX Vulnerability Perry E. Metzger (Jun 18)
- Re: FW: CISCO PIX Vulnerability Rick Smith (Jun 18)
- Re: FW: CISCO PIX Vulnerability Perry E. Metzger (Jun 23)
- Going Public with Brute Force (was: CISCO PIX) Rick Smith (Jun 23)
- Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 16)
- Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 23)
- Re: FW: CISCO PIX Vulnerability Darren Reed (Jun 24)
- RE: FW: CISCO PIX Vulnerability Rick Smith (Jun 17)
- RE: FW: CISCO PIX Vulnerability Ted Doty (Jun 18)
- Re: FW: CISCO PIX Vulnerability Joseph S. D. Yao (Jun 26)