[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC WORKING GROUP LAST CALL

To: "Perry E. Metzger" <perry@piermont.com>
Subject: Re: IPSEC WORKING GROUP LAST CALL
From: "M.C.Nelson" <netsec@panix.com>
Date: Sat, 21 Feb 1998 23:00:26 -0500 (EST)
cc: ipsec@tis.com
In-Reply-To: <199802202027.PAA03149@jekyll.piermont.com>
Sender: owner-ipsec@ex.tis.com

Perry,

Are we in the business of certifying or reviewing encryption algorithms?
Or are we rather in the the business of providing mechanisms and
interoperability for using them?

Digressing only slightly, I recall that when I argued that trusted
networks and security gateways are also poor security, it was said
that this was a matter of policy and not the concern of standards.


Regards,
Mitch Nelson


On Fri, 20 Feb 1998, Perry E. Metzger wrote:

> 
> Someone writes:
> > As Bob said, how to weaken the key is well known but I figured a CBC-MAC
> > was well known and that apparently is not the case. We need documents
> > describing things and there is no document describing "40 bit DES"
> 
> I removed "someone"'s name because I don't want them to think the
> following targets them specifically. It is directed not at particular
> people but at the notion of ciphers with inadequate key lengths being
> standardized, even in the "sheep's clothing" of variable length
> ciphers that permit inadequate lengths.
> 
> <flame height="empire state building" heat="5000 degrees k">
> 
> I don't understand why we wish to specify this at all. Even single DES
> isn't secure any more. IBM, to their credit, doesn't call their 40 bit
> DES based algorithm encryption -- they call it "commercial data
> masking".
> 
> You argue "hey, some of us have to make a living". Well, do it in a
> less damaging way -- sell CD-ROM encyclopedias door to door or
> something.  If you insist on selling your customers junk -- and 40 bit
> encryption is *junk* -- please do not ask the rest of us to endorse
> your mechanism with the imprimateur of the IETF. The last thing I want
> on earth is to see such a box sold with a brochure advertising its
> compliance with RFC YYYY. Find a better way of marketing the
> antifreeze you propose selling as booze to the third world
> natives. You don't need an RFC number to do that.
> 
> Oh, and if any vendor does go through the exercise of selling such a
> thing, I suspect that software will be widely distributed on the net
> to help even unskilled teenage crackers break the "encryption"[sic]
> without having to know what they are doing. I suspect that because if
> no one else does I'll write it and distribute it myself. A false sense
> of security is worse than no security.
> 
> The 40 bit "encryption" fraud must end.
> 
> I've flamed on enough here already, and won't go any further with it
> right now. I believe people can tell how strongly I feel about this.
> 
> </flame>
> 
> 
> Perry
>

Follow-Ups:

Re: IPSEC WORKING GROUP LAST CALL

From: Alex Alten <Andrade@ix.netcom.com>

References:

Re: IPSEC WORKING GROUP LAST CALL

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: key derivation for ESP Authentication Algorithm
Next by Date: Re: IPSEC Arch, ports, and tunnel mode SAs
Prev by thread: Re: IPSEC WORKING GROUP LAST CALL
Next by thread: Re: IPSEC WORKING GROUP LAST CALL
Index(es):
- Main
- Thread