Firewall Wizards mailing list archives

RE: FW: CISCO PIX Vulnerability

From: Hal <hal () mrj com>
Date: Wed, 17 Jun 1998 13:51:14 -0700

Are you seriously arguing for continuing to use weak crypto over better systems? 
Gosh, I thought only NSA people argued like that. 

----------
From:  Rick Smith[SMTP:rick_smith () securecomputing com]
Sent:  Wednesday, June 17, 1998 8:41 AM
To:  Adam Shostack; hal () mrj com
Cc:  firewall-wizards () nfr net
Subject:  Re: FW: CISCO PIX Vulnerability

Adam Shostack's characterization of DES based products as "stupid" is
important to examine, since DES is a mandatory part of all IPSEC
implementations, and is currently the strongest product that some vendors
can export.

Blanket criticism of short key lengths may be a worthwhile exercise for
crypto theoreticians, but it's misplaced when looking at the "big picture"
of information security. Sites accept lots and lots of vulnerabilities that
are far riskier than even 40 bit encryption.

Let's face it -- lots of people HAVE defaced web sites, they HAVE sniffed
reusable passwords, insiders HAVE stolen plaintext lists of credit card
numbers, con artists HAVE tricked people out of their money on the
Internet. On the other hand, there are NO reports of a criminal or
competitor having ever mounted a brute force cracking attack on a
commercial enterprise and caused it real damage. The fact that custom
cracking machines *could* exist does not mean that there is an economic
justification to cause them to exist. References to Morris, Sr., simply
underline the difference between the NSA's attitude and the real world of
commercial security (another interesting philosophical topic). 

Naturally people should use the longest crypto keys they can get, but it's
not the only technical feature deters attacks. If a product with shorter
keys protects just the right traffic and runs safely and reliably in other
ways, then it might be a better choice. Many companies are better with
their crufty old DES hardware and highly developed internal procedures than
they'd be with the latest 128 bit VPN equipment and unfamiliar
administrative procedures. Security systems WILL fail regardless of how
long the key is. Sites can only expend finite resources, and they have to
cover ALL the threats as best they can.

Rick.
smith () securecomputing com

Current thread:

Re: CISCO PIX Vulnerability, (continued)
- Re: CISCO PIX Vulnerability lum (Jun 04)
- FW: CISCO PIX Vulnerability Hal (Jun 15)
  - Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 16)
    - Re: FW: CISCO PIX Vulnerability Rick Smith (Jun 17)
    - Re: FW: CISCO PIX Vulnerability Perry E. Metzger (Jun 18)
    - Re: FW: CISCO PIX Vulnerability Rick Smith (Jun 18)
    - Re: FW: CISCO PIX Vulnerability Perry E. Metzger (Jun 23)
    - Going Public with Brute Force (was: CISCO PIX) Rick Smith (Jun 23)
    - Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 23)
    - Re: FW: CISCO PIX Vulnerability Darren Reed (Jun 24)
- RE: FW: CISCO PIX Vulnerability Hal (Jun 17)
  - RE: FW: CISCO PIX Vulnerability Rick Smith (Jun 17)
    - RE: FW: CISCO PIX Vulnerability Ted Doty (Jun 18)
    - Re: FW: CISCO PIX Vulnerability Joseph S. D. Yao (Jun 26)