Interesting People mailing list archives
"the net"... campus-type links, and conceptualizing remote data
From: David Farber <dave () farber net>
Date: Tue, 15 Sep 2009 22:26:07 -0400
Begin forwarded message: From: "Steven M. Bellovin" <smb () cs columbia edu> Date: September 15, 2009 8:23:14 PM EDT To: dave () farber netSubject: Re: [IP] Re: "the net"... campus-type links, and conceptualizing remote data
The 802.11 WEP protocol is a security disaster. Even in the climate of the early 1990s -- and WEP uses RC4, which if I recall correctly didn't come about until circa 1994 -- it has a number of serious, and mostly avoidable, mistakes. Put bluntly, it was badly designed in ways that were avoidable even with the knowledge and the outlook of the time. And as someone who was doing security and crypto back then, I'm very well aware of the attitudes towards security prevailing then. WEP has three serious weaknesses; two of them were avoidable, even given its goals and the knowledge of the time. The problem that has gotten the most attention is the cryptographic weakness of RC4, especially against related key attacks. This was not knowable then. Indeed, given its efficiency, it would have seemed a natural choice. However -- and this certainly was knowable -- RC4 is a stream cipher, and as such a fundamentally bad choice for encrypting datagrams. I'll skip the details; see the 2001 paper by Borisov, Goldberg, and Wagner on 802.11 insecurity. Basically, though, this was a very avoidable mistake. The biggest problem, though, is the lack of key management, which in turn stems from lack of much consideration of an operational model. How, in an organization of any size, can you simultaneously roll all of the keys? I'll also note that the lack of key management exacerbates the other two problems. I'm told that omitting key management was an explicit design decision by the committee, because it wasn't their problem; on the other hand, they also omitted the usual accommodations to a key management protocol, such as an over-the-wire keyID. ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 13)
- <Possible follow-ups>
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- "the net"... campus-type links, and conceptualizing remote data Dave Farber (Sep 16)