[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [mobile-ip] Re: replacing IPsec's replay protection?
Paul,
That came from direct experience in the trenchs of building
secure networking systems (and cryptograpic algorithms).
Basically I'm saying "Keep It Simple Stupid". Pick a single
mode (either ECB or CBC). Use a minimum set of ciphers and
hashes (preferably one each). Don't be afraid to build tools
from scratch to meet specific requirements (like my suggestion
for a custom hash). And worry about robustness and reliablity
of cryptographic materials (thus the need for good RNG's
and CRC checking). My observation of this WG is that
it has bogged itself down for years in extra complexity which
is the enemy of secure networking systems design. But I'm
probably wasting my breath giving you this advice, you
don't seem to appreciate or understand it.
- Alex
At 02:42 PM 4/7/2002 -0400, Paul Koning wrote:
>What did all that come from? It sure looks like an amazing collection
>of strange cryptographic notions -- things like ECB, or a "custom
>hash" on the grounds that HMAC is "massive overkill". Or the notion
>that hardware RNGs need to be mandated.
>
> paul
>
>
--
Alex Alten
Alten@ATTBI.com