Re: CRIME NIPC Watch Daily Report 21 February 2002

From: Seth Arnold (sarnold@private)
Date: Thu Feb 21 2002 - 12:24:52 PST

  • Next message: George Heuston: "CRIME FW: NIPC Watch Daily Report 22 February 2002"

    On Thu, Feb 21, 2002 at 10:11:31AM -0800, Crispin Cowan wrote:
    > >Note squib on City of Glendale going to wireless LAN. I'm not sure that 3DES
    > >encryption is all that secure--though it may be for Glendale...
    > >
    > 3DES is pleanty secure for most any application requiring symmetric 
    > cryptography.
    3DESs primary shortcoming is its speed: very, very, slow, in comparison
    to other symmetric ciphers. Hardware implementations don't have this
    > What makes the security of the Glendale application sketchy is that 3DES 
    > (and single DES, and AES) are not very useful for authentication, and 
    > the one-paragraph article does not discuss authentication. This is a 
    > concern, because it is authentication problems that broke 802.11b and 
    > 802.11a.
    Hmm; if I recall correctly, authentication was only one problem
    encountered with WEP/802.11; improper use of rc4 allowed keys to be
    recovered quickly. From a cursory glance at the Borisov, Goldberg,
    Wagner paper, the problem is liable to exist in a 3DES implementation as
    Furthermore, the packets are protected only with crc-32, woefully
    inadequate for the job. This problem is liable to exist in a 3DES
    implementation as well -- but should be possible to be replaced, should
    someone care enough.
    There are two authentication problems -- traditional 802.11
    implementations use a single shared key amongst all workstations. (!)
    The 802.1x RSN 'fix' is actually not a fix, as pointed out by Arbaugh
    recently. (It lacks bidirectional authentication. Oops.)
    Maybe some of the 802.11 stuff is salvagable for secure use -- but I
    think it will require extensive re-engineering of the security
    Cheers :)
    "I'm not sure which upsets me more: that people are so unwilling
    to accept responsibility for their own actions, or that they are
    so eager to regulate everyone else's." -- Kee Hinckley

    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:05 PDT