Firewall Wizards mailing list archives
Re: FW: CISCO PIX Vulnerability
From: Rick Smith <rick_smith () securecomputing com>
Date: Thu, 18 Jun 1998 09:48:11 -0500
At 09:12 AM 6/18/98 -0400, Perry E. Metzger wrote:
You should remember that we made DES mandatory only for interoperability reasons, and that the decision was made years ago. If we were doing it again today, I suspect that we would have made 3DES mandatory instead.
I think we all realize *why* there are products with short keys. But the point for users is that *most* of their choices involve short keys, so that's what lots and lots of them are going to use. We need to provide sensible guidance in using such products, instead of simply blowing off the majority of products available. People are going to use them anyway, so we might as well get used to talking about them.
On the other hand, there are NO reports of a criminal or competitor having ever mounted a brute force cracking attack on a commercial enterprise and caused it real damage.It is likely that you wouldn't hear about it if it happened.
Disagree. If such attacks cause financially significant damage in a number of enterprises, then the results *will* become public. If the attacks are relatively insignificant (i.e. they can be hidden by all victims) then they must be relatively insignificant as security threats go. Remember: I'm *not* saying that key length is irrelevant, I'm saying that it's only one of many parameters. For many types of information, brute force decryption is *not* going to represent the biggest threat to an enterprise. Cracking a single randomly chosen message isn't going to be worth the effort to an attacker unless all messages contain something valuable, like a reusable secret password. Rick. smith () securecomputing com
Current thread:
- CISCO PIX Vulnerability Damir Rajnovic (Jun 03)
- Re: CISCO PIX Vulnerability lum (Jun 04)
- <Possible follow-ups>
- FW: CISCO PIX Vulnerability Hal (Jun 15)
- Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 16)
- Re: FW: CISCO PIX Vulnerability Rick Smith (Jun 17)
- Re: FW: CISCO PIX Vulnerability Perry E. Metzger (Jun 18)
- Re: FW: CISCO PIX Vulnerability Rick Smith (Jun 18)
- Re: FW: CISCO PIX Vulnerability Perry E. Metzger (Jun 23)
- Going Public with Brute Force (was: CISCO PIX) Rick Smith (Jun 23)
- Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 16)
- Re: FW: CISCO PIX Vulnerability Adam Shostack (Jun 23)
- Re: FW: CISCO PIX Vulnerability Darren Reed (Jun 24)
- RE: FW: CISCO PIX Vulnerability Rick Smith (Jun 17)
- RE: FW: CISCO PIX Vulnerability Ted Doty (Jun 18)
- Re: FW: CISCO PIX Vulnerability Joseph S. D. Yao (Jun 26)