[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Win2000 IKE and 3des
Sounds to me like a CERT advisory is warranted. And wide press coverage.
Of all the stupid.....
jan
On Fri, 12 May 2000, Sandy Harris wrote:
> > Chun Ye wrote:
> >
> > This is not a design error.
>
> No, that is far too mild a term for it.
>
> > If you have an export driver, how can you expect to run 3DES?
>
> If I have a policy that says 3DES, how can you deliver DES?
>
> At least one court:
>
> http://www.thestandard.net/article/display/0,1151,1780,00.html
>
> has held a bank liable for using DES, described by the judge as
> "out-of-date and not safe enough". If Microsoft software changes
> the policy the system admin sets, who is liable for any damage?
>
> > >>>>> "Sumi" == Sumi Singh <sumis@Exchange.Microsoft.com> writes:
> >
> > Sumi> Just to clarify the behaviour of Windows 2000 - Windows 2000
> > Sumi> weakens 3DES policy to DES if you do not have the strong
> > Sumi> encryption pack (128-bit) installed. This weakening is
> > Sumi> announced by an event in the Audit log. So if you have 2 peers
> > Sumi> with no encryption pack installed, and a policy to use 3DES,
> > Sumi> they will talk DES since they cannot do 3DES.
> >
> > Clearly that's a major design error.
> >
> > If you ask for something that's not supported, it should be rejected.
> > To change it (even with a message in some obscure log) is clearly
> > wrong. You don't build secure systems that way.
>
> Even with an audible alarm and a message in two inch red letters on
> the console, it is clearly wrong.
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: