Seth Arnold writes: > On Wed, Apr 17, 2002 at 10:01:13PM -0700, Jere Retzer wrote: > > Question -- have there been any documented cases of weak encryption > > leading to significant exploits? I don't mean to belittle the need for > > encryption but I don't see significant exploits actually happening. > > Maybe the right attitude is to say if we did not keep up that we would > > be seeing exploits. > > [Jere, your emails would be easier to read if you wrapped your lines at > 72 characters. Thanks.] > > Yes, there is significant evidence of weak crypto being used for > significant exploits. > > The SSH CRC-32 compensation attack, discovered by Michal Zalewski, is > the best known example: > http://online.securityfocus.com/bid/2347 > This has been rooting boxes for over a year. I need to take issue with the reference to the CRC-32 attack. That is not an attack against bad crypto. That is an attack against bad programming. The DVD reference is more appropriate, as would be a number of the attacks that are available against WEP40 and WEP128. Toby
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:14 PDT