Interesting People mailing list archives
"the net"... campus-type links, and conceptualizing remote data
From: Dave Farber <dave () farber net>
Date: Wed, 16 Sep 2009 15:27:30 -0400
Begin forwarded message:
From: "David P. Reed" <dpreed () reed com> Date: September 16, 2009 11:53:54 EDT To: dave () farber net Cc: ip <ip () v2 listbox com>Subject: Re: [IP] "the net"... campus-type links, and conceptualizing remote data
Steve Bellovin's note makes my points exactly. But to be as secure as a "wire" is a very low bar. Wired ethernet was not secure in any sense. Easy to tap, either by becoming promiscuous or by simple drop-in device plugged transparently between hub/switch and target.The presence or absence of "security" in the 802.11 suite merely presented a marketing checkbox, one that was essentially a fib (lie is perhaps too strong).IMO, which may not be shared, the obsession of the crypto-heads with improving WEP's prefix and so forth was a diversion. Even WPA is horrendously weak against pen-testers, because it doesn't fit into real threat models almost all of the time. (strong crypto algorithms don't solve problems, they just move the attacker to the next weakest point of the system, while confusing the security "professionals", who got their "certification" from a summer course at a vendor, into thinking they are "secure").On 09/15/2009 10:26 PM, David Farber wrote:Begin forwarded message: From: "Steven M. Bellovin" <smb () cs columbia edu> Date: September 15, 2009 8:23:14 PM EDT To: dave () farber netSubject: Re: [IP] Re: "the net"... campus-type links, and conceptualizing remote dataThe 802.11 WEP protocol is a security disaster. Even in the climate of the early 1990s -- and WEP uses RC4, which if I recall correctly didn'tcome about until circa 1994 -- it has a number of serious, and mostly avoidable, mistakes. Put bluntly, it was badly designed in ways that were avoidable even with the knowledge and the outlook of the time. And as someone who was doing security and crypto back then, I'm very well aware of the attitudes towards security prevailing then. WEP has three serious weaknesses; two of them were avoidable, even given its goals and the knowledge of the time. The problem that has gotten the most attention is the cryptographicweakness of RC4, especially against related key attacks. This was notknowable then. Indeed, given its efficiency, it would have seemed a natural choice. However -- and this certainly was knowable -- RC4 is a stream cipher, and as such a fundamentally bad choice for encrypting datagrams. I'll skip the details; see the 2001 paper by Borisov, Goldberg, and Wagner on 802.11 insecurity. Basically, though, this was a very avoidable mistake. The biggest problem, though, is the lack of key management, which in turn stems from lack of much consideration of an operational model.How, in an organization of any size, can you simultaneously roll all ofthe keys? I'll also note that the lack of key management exacerbates the other two problems. I'm told that omitting key management was an explicit design decision by the committee, because it wasn't theirproblem; on the other hand, they also omitted the usual accommodationsto a key management protocol, such as an over-the-wire keyID. ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 13)
- <Possible follow-ups>
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- Re: "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- "the net"... campus-type links, and conceptualizing remote data David Farber (Sep 15)
- "the net"... campus-type links, and conceptualizing remote data Dave Farber (Sep 16)