[28440] in North American Network Operators' Group
RE: ABOVE.NET SECURITY TRUTHS?
daemon@ATHENA.MIT.EDU (Roeland Meyer (E-mail))
Sat Apr 29 17:17:18 2000
Reply-To: <rmeyer@mhsc.com>
From: "Roeland Meyer (E-mail)" <rmeyer@mhsc.com>
To: "'Deepak Jain'" <deepak@ai.net>,
"'Joshua Goodall'" <joshua@roughtrade.net>
Cc: "'Steven M. Bellovin'" <smb@research.att.com>,
"'Chris Cappuccio'" <chris@dqc.org>,
"'Mr. James W. Laferriere'" <babydr@baby-dragons.com>,
"'Greene, Dylan'" <DGreene@navisite.com>,
"'Paul Froutan'" <pfroutan@rackspace.com>, <nanog@merit.edu>
Date: Sat, 29 Apr 2000 14:06:29 -0700
Message-ID: <006901bfb21e$ca935740$eaaf6cc7@PEREGRIN>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <Pine.BSF.4.21.0004291614090.27218-100000@aries.ai.net>
Errors-To: owner-nanog-outgoing@merit.edu
IMHO, this is a rathole. While the science behind the implementation of =
ecryption algorithms, in general, may be less than perfect. The =
engineering behind the implementation is "good enough", for various =
flavors of data usability persistance.
Encryption only has to protect its data for that time when the release =
of that data may be detrimental. The absolute best encryption methods =
only slow down the cracker. But, that's all it has to do. At the =
moment, DES is crackable in about 12 hours (see: distributed.net and =
eff.org). Evenso, it is sufficient to protect data which only has a =
useful transient half-life of 3-6 hours, such as one-time pass codes. It =
is certainly more secure than plain-text. Sessions using passwds, that =
are changed weekly, or even monthly, are certainly well protected by =
SSH1. Likewise, most session management packets, scripts, and =
configuration commands, are not useful data beyond a few weeks. The Data =
gets stale. OTOH, CC numbers are good for years (until the expiration =
date) and must be better protected. But its shelf-life is still finite.
ie: I don't care if anyone knows the password that I used last Monday, =
because I've changed it three times since then. Likewise, if someone can =
crack my cyper-text 200 years from now, I will most likely be beyond =
careing, at that time<grin>.=20
> From: Deepak Jain [mailto:deepak@ai.net]
> Sent: Saturday, April 29, 2000 1:16 PM
> > This statement is a litle too broad. I would contest that=20
> the design of,
> > say, FreeBSD's /dev/random permits sufficient entropy collection to
> > usefully initialise a strong hashing algorithm with a=20
> non-predictable
> > vector.=20
>=20
> Okay, you know where I was going. Simple question - where are you
> finding entropy in a FreeBSD machine? (sufficient being a=20
> very relative
> term)
>=20
> Not intending to scare anyone.=20
