[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [mobile-ip] Re: replacing IPsec's replay protection?



Excerpt of message (sent 7 April 2002) by Alex Alten:
> Paul,
> 
> That came from direct experience in the trenchs of building
> secure networking systems (and cryptograpic algorithms).
> Basically I'm saying "Keep It Simple Stupid".  Pick a single
> mode (either ECB or CBC). Use a minimum set of ciphers and
> hashes (preferably one each).  Don't be afraid to build tools
> from scratch to meet specific requirements (like my suggestion
> for a custom hash).  And worry about robustness and reliablity
> of cryptographic materials (thus the need for good RNG's
> and CRC checking).  My observation of this WG is that
> it has bogged itself down for years in extra complexity which
> is the enemy of secure networking systems design. But I'm
> probably wasting my breath giving you this advice, you 
> don't seem to appreciate or understand it.

Insulting people is not a good way to convince others that your ideas
are worth listening to, especially if you don't have any justification
for your comments.

Yes, unnecessary complexity is the enemy of security.  But necessary
complexity is how you get security.  Since you mentioned ECB, I wonder
if you are aware of the reasons why ECB is NEVER used for any network
security protocol.  There are good reasons why it isn't, and it helps
to know what they are.

      paul