[2693] in cryptography@c2.net mail archive
Re: PPTP (in the People's Court)
daemon@ATHENA.MIT.EDU (David Jablon)
Thu May 14 11:05:41 1998
Date: Thu, 14 May 1998 00:41:19 -0400
To: "Arnold G. Reinhold" <reinhold@world.std.com>,
Black Unicorn <unicorn@schloss.li>, pgut001@cs.auckland.ac.nz,
cryptography@c2.net
From: David Jablon <dpj@world.std.com>
In-Reply-To: <v03130306b17f5c909813@[24.128.118.45]>
>At 11:52 PM -0500 5/12/98, Black Unicorn replied to Peter Gutmann as follows:
>>This assumption, that this is a clear and obvious case to make in court, is
>>perhaps the cardinal sin of information security "gurus." [...]
At 01:23 PM 5/13/98 -0400, Arnold G. Reinhold wrote:
>[...]
>Fear of litigation has proven to be a powerful way to get engineers to do
>their jobs properly and to get their managers to heed safety
>recommendations.
A court-room drama about "irresponsibly weak" security sounds
like fun, but realistically, the only court that seems to matter
today is the court of public opinion.
Arnold also wrote:
>By the way, the issue here is not 40-bit crypto, but PPTP using RC4 keys
twice.
I think a technical priority is the weakness of PPTP's session
key generation.
In an earlier post, Paul Leach addressed issues with
"deprecated" modes, but a larger unaddressed problem
is the indeterminate entropy of the session keys. We're not
even talking 40 bits in many cases, as network cracking
attacks on hashed-password-derived keys often
succeed with a difficulty of less than 2^30.
In setting priorities, I'd say that that reliable
session key generation is at least as important as
problems with re-use or mis-use of these keys in a
cipher.
------------------------------------
David Jablon
Integrity Sciences, Inc.
dpj@world.std.com
<http://world.std.com/~dpj/>
