[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC WORKING GROUP LAST CALL

To: ipsec@tis.com
Subject: Re: IPSEC WORKING GROUP LAST CALL
From: "Perry E. Metzger" <perry@piermont.com>
Date: Fri, 20 Feb 1998 15:26:59 -0500
In-reply-to: Your message of "Fri, 20 Feb 1998 11:28:43 PST." <199802201928.LAA02807@dharkins-ss20.cisco.com>
Reply-To: perry@piermont.com
Sender: owner-ipsec@ex.tis.com

Someone writes:
> As Bob said, how to weaken the key is well known but I figured a CBC-MAC
> was well known and that apparently is not the case. We need documents
> describing things and there is no document describing "40 bit DES"

I removed "someone"'s name because I don't want them to think the
following targets them specifically. It is directed not at particular
people but at the notion of ciphers with inadequate key lengths being
standardized, even in the "sheep's clothing" of variable length
ciphers that permit inadequate lengths.

<flame height="empire state building" heat="5000 degrees k">

I don't understand why we wish to specify this at all. Even single DES
isn't secure any more. IBM, to their credit, doesn't call their 40 bit
DES based algorithm encryption -- they call it "commercial data
masking".

You argue "hey, some of us have to make a living". Well, do it in a
less damaging way -- sell CD-ROM encyclopedias door to door or
something.  If you insist on selling your customers junk -- and 40 bit
encryption is *junk* -- please do not ask the rest of us to endorse
your mechanism with the imprimateur of the IETF. The last thing I want
on earth is to see such a box sold with a brochure advertising its
compliance with RFC YYYY. Find a better way of marketing the
antifreeze you propose selling as booze to the third world
natives. You don't need an RFC number to do that.

Oh, and if any vendor does go through the exercise of selling such a
thing, I suspect that software will be widely distributed on the net
to help even unskilled teenage crackers break the "encryption"[sic]
without having to know what they are doing. I suspect that because if
no one else does I'll write it and distribute it myself. A false sense
of security is worse than no security.

The 40 bit "encryption" fraud must end.

I've flamed on enough here already, and won't go any further with it
right now. I believe people can tell how strongly I feel about this.

</flame>

Perry

Follow-Ups:

Re: IPSEC WORKING GROUP LAST CALL

From: Daniel Harkins <dharkins@cisco.com>

Re: IPSEC WORKING GROUP LAST CALL

From: Ben Rogers <ben@Ascend.COM>

Re: IPSEC WORKING GROUP LAST CALL

From: "M.C.Nelson" <netsec@panix.com>

References:

Re: IPSEC WORKING GROUP LAST CALL

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: IPSEC WORKING GROUP LAST CALL
Next by Date: I-D ACTION:draft-ietf-ipsec-auth-hmac-md5-96-03.txt
Prev by thread: Re: IPSEC WORKING GROUP LAST CALL
Next by thread: Re: IPSEC WORKING GROUP LAST CALL
Index(es):
- Main
- Thread