On Mon, 14 Oct 2002 Valdis.Kletnieks@vt.edu wrote: > On Mon, 14 Oct 2002 12:32:23 EDT, Joe Baptista said: > > > You mentioned two security protocols above - well they have proven to be > > vulnerable. > > > > http://search.cert.org/query.html?col=allcert&col=certadv&col=incnotes&col=research&col=secimp&col=techtips&col=trandedu&col=vulnotes&ht=0&qp=&qt=KDC&qs=&qc=&pw=100%25&ws=1&la=en&qm=0&st=1&nh=25&lk=1&rf=2&rq=0&si=1 > > http://search.cert.org/query.html?rq=0&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&col=allcert&col=trandedu&col=vulnotes&col=techtips&col=research&col=certadv&col=incnotes&col=secimp&qt=kerberos > > And your point is? there is no protocol ever developed that can not be compromised. and if one exists please let me know. > > Thats exactly my point. I have yet to see anything that can't be > > compromised. > > I am afraid that if you're waiting for "can't be compromised", you are in > for a VERY long wait. Serious security professionals know that anything CAN > be compromised - the requirement is that it be merely secure enough to deter > an attacker. For instance, a GSA Class 5 cabinet or vault is rated to exactly. anything can be compromised. like i said it in the article - security is more an act of faith. the best we can do is hope for the best and be positive. > He means that v4 versus v6 won't matter a hill of beans to Carnivore, > what will matter to its data gathering is whether IPSec or other suitable > crypto is used *on top of* the v4/v6 connection. ok i agree with that. > OK. I'll grant you that. However, I suggest you look at the amount of > resources needed to actually brute-force decrypt an IPSec connection > when using the recommended algorithms and key lengths - and then ask yourself > whether your threat model includes that scale attack (hint - 3DES isn't twice > as hard to break as single-DES, it's 2^56 or 72,057,594,037,927,936 times > harder. Now, if the EFF DES-breaker cost $250K, you'll need that many of > them - which is well over the US GNP. Which three-letter-agency wants to > spend that much on you, and if it's THAT important, why won't they just > engage in what Marcus Ranum calls "rubber hose cryptography"? I don't think we have any dispute here. I don't have the budget to do it - but others on this pretty blue plant do. and thanks for the reading recommendation. regards joe baptista