<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l <cipe-l,AT,inka,DOT,de>
Subject: RE: What do you guys think about this?
From: Rod Boyce <rod_boyce,AT,stratexnet,DOT,com>
Date: Wed, 24 Sep 2003 07:36:39 +1200

These concerns are all fine from a theoretical point of view.  But in the
real world if the data you are transporting is that important then maybe
some kind of hardware encryption would make better sense...

So to put this another way how long ( and how much effort) is it going to
take an attacker to either intercept the packets with a man in the middle
attack or break the cipher and how important is the data?  I have never done
VPN's for banks or military or any other organisation that imposes high
security restrictions.  Most of the VPN's I have installed are sending
e-mail and the odd remote client session between two offices either across
the world or across the town / country.

IMHO CIPE is far more that adequate for this job.  The time and effort
required for an attacker to interrupt the data stream or break the cipher is
far greater than the knowledge that can be gained from the information.

Don't forget that even hardware encryption devices can be hacked all these
boxes do is provide a false sense of security for bosses and managers that
have far too much money to spend and aren't getting the right advice.

Regards,
Rod Boyce

> -----Original Message-----
> From: Mr Allwyn Fernandes [mailto:af+cipel,AT,stobor,DOT,net
> Sent: Tuesday, 23 September 2003 4:58 p.m.
> To: cipe-l
> Subject: Re: What do you guys think about this?
> 
> I can't stand anyone who thinks that they are better than everyone else
> just because they have the tag "expert"... However...
> 
> What bothers me is that I can read both:
> http://sites.inka.de/sites/bigred/devel/CIPE-Protocol.txt
> and:
> http://www.mit.edu:8008/bloom-picayune/crypto/14238
> repeatedly one after the other, and come away thinking that I have
> missed something in both...
> 
> I should look at the source, I've been meaning to help out for a while
> now but I haven't gotten around to it... My real question is: if we
> look past his childish attitude, does he have any real concerns?
> And if so, is there anything we can do to fix them?
> 
> From what I can tell, his points are:
> * integrity protection for data is weak,
> * weak protection against message insertion or deletion. This is
> acknowledged as weak protection against replays in the protocol
> description,
> * keys can be modified in transit, allowing an attacker to pick certain
> keys, and
> * an attacker can manipulate the key exchange process.
> 
> So the questions are:
> - Are any of these considered "fixed" or not-an-issue by the developers?
> (For example, replay attacks against most systems will be not-an-issue
> because of the tunneled protocol...)
> - Are any of these under development ATM? are they known todos?
> - Are they anything we should be considering as issues?
> 
> 
> And finally, Is there anything I can do to help??
> 
> Cheers,
> 
> Allwyn.
> 
> PS: I'm otherwise a satisfied user...
> 
> On Tue, 23 Sep 2003 13:54, you wrote:
> > yeah, pissed me off too.  But you hit the nail on the head with
> > infantile in the same paragraph with Gutmann.  Rant away....
> >
> > ---russ
> >
> > Russell Berry
> > Berrex Computer Solutions
> > http://www.berrex.com
> > Russ,AT,berrex,DOT,com
> > 1-877-558-9507
> > ----- Original Message -----
> > From: "Damion Wilson" <dwilson,AT,ibl,DOT,bm>
> > To: "Groups" <groups,AT,hasely,DOT,com>
> > Cc: <cipe-l,AT,inka,DOT,de>
> > Sent: Monday, September 22, 2003 11:20 PM
> > Subject: Re: What do you guys think about this?
> >
> > > Alright. I've just seen this on Slashdot and a few things pissed me
> > > off:
> > >
> > > 1. CIPE has apparently been declared a "dead" project.
> > >
> > > 2. The cursory analysis by Peter Gutmann appears to have missed
> > > subtle
> >
> > things.
> >
> > > For instance, CIPE primarily using Blowfish (and not IDEA).
> > >
> > > 3. The apparent zeal with which all non IPSec or SSL
> > > implementations are attacked as basically infantile and not worth
> > > entertaining smacks of patronising.
> > >
> > > 4. Some issues are stated as being known "years ago" and ignored. I
> > > don't recall the issues he raises as having crossed my 5 year
> > > participation on
> >
> > this
> >
> > > list, the "man in the middle" vulnerability notwithstanding. We
> > > appear to have voted for simplicity in this regard, correct me if
> > > I'm wrong. It's easier to believe that your ISP isn't out to get
> > > you.
> > >
> > > If Mr. Gutmann had bothered to peruse the mailing list archives
> > > (the link
> >
> > was
> >
> > > right on the same page as the protocol description), He might have
> > > had the chance to determine what was important to the userbase and,
> > > instead of declaring CIPE, Tinc, OpenVPN, et al. "dead", He might
> > > have realised what
> >
> > was
> >
> > > important enough to them to specifically eschew IPSec, etc in
> > > choosing our specific flavours of VPN.
> > >
> > > He deems us stupid and foolhardy for making the decision to use
> > > these products, develop for them, and show loyalty to them in the
> > > face of
> >
> > software
> >
> > > and techniques that he prefers. Apparently, we're all a bunch of
> > > idiots
> >
> > and
> >
> > > it only took him a 30 minute or more analysis for him to determine
> > > it, and the other projects weren't as lucky. Let's all remember the
> > > Andrew
> >
> > Tanenbaum
> >
> > > v Linus Torvalds "discussion" over the relative technical merits of
> > > Minix over Linux.
> > >
> > > I'm still pissed. I need to rant some more later
> > >
> > > I'd like to know if Olaf has anything to say about it, though.
> > > Peter
> >
> > Gutmann
> >
> > > apparently attempted to contact him.
> > >
> > > DKW
> > >
> > > On Monday 22 September 2003 08:57 pm, Groups wrote:
> > > > I've been using CIPE for over a year now, and my boss just
> > > > forwarded
> >
> > this
> >
> > > > link, http://www.mit.edu:8008/bloom-picayune/crypto/14238, to a
> > > > posting about the security of CIPE.  Does anyone have any
> > > > arguments that may
> >
> > help
> >
> > > > me out?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in 
> > > > body
> > > > Other commands available with "help" in body to the same address.
> > > > CIPE info and list archive:
> > > > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> > >
> > > --
> > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > > Other commands available with "help" in body to the same address.
> > > CIPE info and list archive:
> >
> > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> 
> --
> Allwyn Fernandes
> Director
> Stobor Pty Ltd
> 
> Mobile: + 61 414 470 392
> Email: af+cipel,AT,stobor,DOT,net
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>


<< | Thread Index | >> ]    [ << | Date Index | >> ]