Re: FW: CISCO PIX Vulnerability

[Adam Shostack <adam () homeport org>]

Rick Smith wrote:
| Adam Shostack's characterization of DES based products as "stupid" is
| important to examine, since DES is a mandatory part of all IPSEC
| implementations, and is currently the strongest product that some vendors
| can export.
| 
| Blanket criticism of short key lengths may be a worthwhile exercise for
| crypto theoreticians, but it's misplaced when looking at the "big picture"
| of information security. Sites accept lots and lots of vulnerabilities that
| are far riskier than even 40 bit encryption.

        That is correct.  However, I assume that when looking at, eg,
VPN products, the site does not want to do a complete security
evaluation, it wants to evaluate cryptographic products.  If the
company is situated somewhere where it can not buy cryptography
stronger than 40 or 56 bits, then it is forced by its government to
accept risk.  I believe France is the only place where these laws are
enforced.  Laws about deployment exist in other places, but go
unenforced.  See http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm.
If the company can buy longer key lengths, then it is likely a foolish
decision not to, assuming the products have roughly equal management
features.
        
        The export issue is largely a red herring, since I am either
outside the US, and can buy strong crypto from free world vendors, or
I am in the US, and can buy domestic or foriegn, or I am
multinational, and can buy from outside the US.  The fact that I can't
buy from US vendors worldwide does not mean that solid, well written
products are not available worldwide.

        Not using long key lengths, where other factors are equal, is
stupid.  The extra security is roughly free.  Let me repeat, where
other factors are equal.

| Let's face it -- lots of people HAVE defaced web sites, they HAVE sniffed
| reusable passwords, insiders HAVE stolen plaintext lists of credit card
| numbers, con artists HAVE tricked people out of their money on the
| Internet. On the other hand, there are NO reports of a criminal or
| competitor having ever mounted a brute force cracking attack on a
| commercial enterprise and caused it real damage. The fact that custom
| cracking machines *could* exist does not mean that there is an economic
| justification to cause them to exist. References to Morris, Sr., simply
| underline the difference between the NSA's attitude and the real world of
| commercial security (another interesting philosophical topic). 

        Perry has responded well to this set of assertions.  I quoted
Morris because, like Perry, I can't comment on the things I've been
seen and participated in.  I know of at least two cryptanalysis
companies that have been contacted to build a DES key cracker.  I
don't know if either accepted the contract.  

| Naturally people should use the longest crypto keys they can get, but it's
| not the only technical feature deters attacks. If a product with shorter
| keys protects just the right traffic and runs safely and reliably in other
| ways, then it might be a better choice. Many companies are better with
| their crufty old DES hardware and highly developed internal procedures than
| they'd be with the latest 128 bit VPN equipment and unfamiliar
| administrative procedures. Security systems WILL fail regardless of how
| long the key is. Sites can only expend finite resources, and they have to
| cover ALL the threats as best they can.

        Absolutely.  I said 'buying' a DES product is stupid, and I'll
stand by that.  If you have a DES product deployed, its probably time
or past time to replace it, but if you have proper management
solutions in place, that might be hard.  Given the management
processes I've seen in most places, replacing your old hardware with
something newer will be unlikely to cause a reduction in the quality
of the KM process.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume