Re: Win2000 IKE and 3des

[Sandy Harris <sandy@storm.ca>]

> Chun Ye wrote:
> 
> This is not a design error.

No, that is far too mild a term for it.

> If you have an export driver, how can you expect to run 3DES?

If I have a policy that says 3DES, how can you deliver DES?

At least one court:

http://www.thestandard.net/article/display/0,1151,1780,00.html 

has held a bank liable for using DES, described by the judge as
"out-of-date and not safe enough". If Microsoft software changes
the policy the system admin sets, who is liable for any damage?
  
> >>>>> "Sumi" == Sumi Singh <sumis@Exchange.Microsoft.com> writes:
> 
>  Sumi> Just to clarify the behaviour of Windows 2000 - Windows 2000
>  Sumi> weakens 3DES policy to DES if you do not have the strong
>  Sumi> encryption pack (128-bit) installed. This weakening is
>  Sumi> announced by an event in the Audit log. So if you have 2 peers
>  Sumi> with no encryption pack installed, and a policy to use 3DES,
>  Sumi> they will talk DES since they cannot do 3DES.
> 
> Clearly that's a major design error.
> 
> If you ask for something that's not supported, it should be rejected.
> To change it (even with a message in some obscure log) is clearly
> wrong.  You don't build secure systems that way.

Even with an audible alarm and a message in two inch red letters on
the console, it is clearly wrong.

---

Follow-Ups:

• Re: Win2000 IKE and 3des
• From: Jan Vilhuber <vilhuber@cisco.com>

References:

• RE: Win2000 IKE and 3des
• From: "Chun Ye" <chunye@Exchange.Microsoft.com>

---

• Prev by Date: RE: Win2000 IKE and 3des
• Next by Date: Re: Win2000 IKE and 3des
• Prev by thread: RE: Win2000 IKE and 3des
• Next by thread: Re: Win2000 IKE and 3des
• Index(es):
  • Main
  • Thread