[2809] in cryptography@c2.net mail archive
Re: David Wagner: Re: CISCO PIX Vulnerability
daemon@ATHENA.MIT.EDU (Scott G. Kelly)
Thu Jun 11 10:58:28 1998
Date: Wed, 10 Jun 1998 11:18:27 -0700
From: "Scott G. Kelly" <skelly@redcreek.com>
To: Rick Smith <rick_smith@securecomputing.com>
CC: "Perry E. Metzger" <perry@piermont.com>, cryptography@c2.net
Rick Smith wrote:
>
> At 09:18 AM 6/4/98 -0700, Scott G. Kelly wrote:
> >Just wanted to note that not *all* Cisco PIX boxes have this problem.
> >Some of the boxes use a hardware card for encryption (which we provide),
> >and those systems certainly do not have this shortcoming.
>
> Does PIX use some integrity mechanism in addition to the ECB encryption? Do
> they renegotiate keys regularly? If not, then the benefits of hardware
> encapsulation and key length aren't going to protect them from forged
> commands.
>
> Rick.
> smith@securecomputing.com
This was cleared up in a side discussion: the mechanism being discussed
is in a pre-ipsec (proprietary) VPN mechanism for the PIX. The PIXs
which use the card are based upon the current round of ipsec docs. Also,
they don't use ECB - they use CBC.
Scott
