Linux Crypto Packages Demolished 404
SiliconEntity writes "Cryptographer and security expert Peter Gutmann has demolished several Linux security software packages in a recent posting to the cryptography mailing list. He says, 'It's possible to create insecure 'security' products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed.'"
What a great Quote (Score:5, Funny)
"Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment."
--Peter Gutmann
Re:What a great Quote (Score:2)
noah
Re:What a great Quote (Score:3, Funny)
Anonymous Signature to follow
--
Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment."
--Peter Gutmann
D'oh (Score:3, Funny)
I hate Mondays.
Re:What a great Quote (Score:2)
Re:What a great Quote (Score:2)
Re:What a great Quote (Score:5, Informative)
Re:What a great Quote (Score:5, Informative)
http://www.glgarden.org/foreverman/brasseye.html [glgarden.org]
(if you're impatient, click "page 2" and search for "sound wave".)
Original of quote (Score:3, Informative)
"Whenever a programmer thinks, "Hey, skins, what a cool idea", their computer's speakers should create some sort of cock-shaped soundwave and plunge it repeatedly through their skulls." - Makali [lazycat.org].
Use the trustworthy stuff (Score:5, Funny)
Oh no! (Score:3, Funny)
POPTOP (Score:3, Interesting)
Re:POPTOP (Score:4, Informative)
L2TP replaces it, and MS seems to have got it right this time.
CIPE (Score:5, Informative)
Did I miss something?
Re:CIPE (Score:5, Informative)
Re:CIPE (Score:5, Funny)
Given that, one would think industry strength implies insecurity!
Don't let my alias throw you off, I'm not about bashing Microsoft, but this was just too easy
thank you captin obvious (Score:5, Insightful)
Re:thank you captin obvious (Score:4, Informative)
False (Score:5, Informative)
in 2002 and 2003.
Check their homepage:
http://vtun.sourceforge.net/
Maybe only small update.
Give this man a PhD! (Score:5, Interesting)
This sentence can be reduced to "It's possible to create insecure security products" without losing any important content.
The question should be, is it possible to create a truly secure product when there's no opportunity for public code review? My answer would be "no". I shudder to think of how many critical holes would be found in most popular closed source network products if people like Michal Zalewski were allowed to review the source code.
Re:Give this man a PhD! (Score:2, Informative)
Re:Give this man a PhD! (Score:5, Insightful)
#1 - He's right.
#2 - So are you, or better yet consider this:
If CIPE were closed source, would he have even been able to write this article? Unless I missed something, nobody ever claimed OS was flawless, just that the flaws were open to scrutiny.
Re:Give this man a PhD! (Score:3, Funny)
Yeah, 'cuz Windows being closed source prevents people from finding security vulnerabilities and writing articles on them...
Re:Give this man a PhD! (Score:2)
No, what do you think "security" is? It's the knowledge of safety.
If the public can't review something, they can't know it's safe. The proprietary code reviewers may have been smart enough to catch any flaws- but that's not enough. They'd also have to be trustworthy enough to reveal them, and not just keep them as a personal backdoor.
The sanely paranoid won't take anyone's word on security, they need the ability to check it personally.
Re:Give this man a PhD! (Score:3, Insightful)
No, but they certainly can (and will!) assume. Look at Windows users, and look at the Linux zealots who'll gleefully tell you that Linux is invulnerable.
If there truly are zero vulnerabilities, security holes, bugs, etc., it's secure - whether the users trust it to be or not doesn't change that. It just changes whether they're likely to use it.
Re:Give this man a PhD! (Score:4, Insightful)
I thought I just explained the definition of "security". It's different from "safety". Check your local dictionary for more info: security is an assurance of safety.
You might be safe, but if you don't know it, you're not secure.
Re:Give this man a PhD! (Score:4, Insightful)
In this context I think "security" is a process of minimizing risks to acceptable levels for an arbitrary application.
If the public can't review something, they can't know it's safe.
So? 99.999% of the population can't determine good programming even if the source is open. I guess by your theory there is no secure software in use at the CIA or the NSA because "the public" hasn't seen the code.
The sanely paranoid won't take anyone's word on security, they need the ability to check it personally.
"The sanely paranoid" != "The public"
Only those using the software need to know it is secure. This can be accomplished whether the software is Open Source or not.
Re:Give this man a PhD! (Score:4, Insightful)
i responded instead of modding you. Let me just point out that if the public is using it then it should be open source so that the neccasary non-corporate people (hackers) can take a look at the code and fix what is needed, in the case of microsoft they are saying "trust the people who we employ, and who depend on our products to make money" which is a very very bad thing to rely on.
The open source community might not be perfect, but its one hell of alot closer than any proprietary setup. (not to mention that the larger the OSS community gets the more people will be looking at the code, hence more security.)
the CIA and/or the NSA are bad examples of security in software. (as is anything in gov't) because politicians decide what gets done, and politiks do not mix well with software.
Re:Give this man a PhD! (Score:3, Insightful)
To minimize you must first know. To know you must see.
So? 99.999% of the population can't determine good programming even if the source is open.
They can, if they care to, hire an arbitrary number of reputable cryptologists and software engineers to give independent opinions on the safety. The original authors can't have inserted secret backdoors for fear of being found out by these 3
GPG is also a disaster and other rants (Score:4, Insightful)
1. Be under a BSD-ish license, so it could be linked in to commercial and non-commercial products.
2. Be a LIBRARY, not a stand-alone executable, so it can be linked into anything at all.
Let's see, the Xiph people want their protocols to be used all over the place, so they make it a BSD-license LIBRARY that anyone can link to. Hmmm, seems to be working. The PNG backers want their format to be used all over the place, so they make it a BSD-license LIBRARY that anyone can link to. Hmm, seems to be working. The PGP/GPG people want their stuff to be used by people to send mail everywhere, so they make it either a non-Open Source license (PGP) or a GPL license (GPG) and also never ever make it a library for non-existant "security" reasons. Guess what! No one uses it!
Oh, and while I'm ranting about the horribleness of Open Source security stuff, why is it that there is STILL no well-integrated filesystem crypto in any of the Open Source operating systems, including the security-oriented OpenBSD? No, loopback crypto kludges don't count at all.
Re:GPG is also a disaster and other rants (Score:2, Interesting)
I don't feel comfortable using crypto products without source code, I don't know about you.
cipe has been on my shitlist for a long time for instance.
Debian to the rescue! (Re:GPG is also a disas...) (Score:5, Informative)
Description: GPGME - GnuPG Made Easy
GPGME is a wrapper library which provides a C API to access some of the GnuPG functions, such as encrypt, decrypt, sign, verify,
Can I hump your skull now?
Re:Debian to the rescue! (Re:GPG is also a disas.. (Score:5, Informative)
No, because GPGME is GPL, not LGPL, and all it does is make calls to the (GPL) GPG binary.
Re:GPG is also a disaster and other rants (Score:3, Informative)
Most clients now spawn an exec and pipe data to PGP or GPG. Nothing in the GPL prohibits that.
Re:GPG is also a disaster and other rants (Score:2, Interesting)
My loopback crypto filesystems, set up on Mandrake Linux 9.0/9.1, don't seem all that kludgy to me. It was easy enough to set up and very easy to use. Except that I still have to mount my encrypted filesystems via the command line, what's up with that? If anyone knows of any GUI mount programs that are smar
Security Disasters vs. UI Ugliness Messes (Score:2)
Re:GPG is also a disaster and other rants (Score:5, Insightful)
Those GNU folks are just evil; that's why they would never agree with something like the Vorbis BSD license [lwn.net].
Or it could be that most people don't really understand the need for encryption, are hopelessly confused by key management, and won't use it until it is bundled with their computer and employed by default in their email program.
Re:GPG is also a disaster and other rants (Score:5, Insightful)
If you read about GPG you would realize that the intentional lack of a library is a feature, not a bug. The GPG application relies on some cool extensions to protect memory areas used for the random pool (entropy source) the key generation algorithms, etc.
The moment you pull that out into a simple library you open up a number of attacks. Perhaps the application using the library got 0wn3d by an LD_PRELOAD trick. Perhaps it is allocating memory poorly and it gets swapped to disk, where another rogue process picks it up. Perhaps another rogue library is scanning application memory space and writing keys to a socket over the network. etc, etc.
There are a number of good reasons why there is no library (the current C libs are simply wrappers around exec to the gpg executable - they work fine, use them). Do you want convenience or real security?
Re:GPG is also a disaster and other rants (Score:4, Insightful)
There are a number of good reasons why there is no library (the current C libs are simply wrappers around exec to the gpg executable - they work fine, use them.
Excuse me for my ignorance of how GPG is called, but isn't just loading an executable from your path subject to the same sorts of attacks (really, easier onces) than the LD_LIBRARY_PATH modification? I can just as easily sneak something somewhere in the users PATH ahead of the real GPG...
Re:GPG is also a disaster and other rants (Score:5, Interesting)
I think the problem is that shared libraries are shared across users, so you just need to have a user account on the machine with debug access to mess with a library, while to change someone's path you need to compromise their account. The problem with this arguement is that if you have debug access you can mess with so many things that avoiding shared libraries isn't going to help much. The only thing it might do is force someone to crack X, pine, emacs or something else you are using to compose whatever you plan to GPG so while the system is compromised GPG can claim that their part of it wasn't.
Moral of the story is don't allow security to depend on a development machine's pristine state and don't enable ptrace, or loadable modules for that matter, on a production machine that is intended to be secure.
Re:GPG is also a disaster and other rants (Score:3, Insightful)
> Besides, a buffer overrun, or another flaw in your program could then enable the attacker to read your private key because
> it's decoded in your memory space now, not in the seperate GPG space. That's not a huge win, but it's a win.
And your passphrase, passed over IPC to GPG, isn't? That's just as good as having the private key.
I don't see any reason why the issues you list can't be addressed in a library. GPG.so can do its own page locking transparent to the client, it can ignore whatever environ
GBDE (Score:3, Informative)
Check out FreeBSD 5's GBDE [freebsd.org] system. It's still relatively new and needs some polishing, but is improving rapidly. It's already quite usable.
CIPE is a toy (Score:4, Interesting)
I remember when I installed Red Hat I went looking for IPsec
The 32-bit CRC thing caught my eye as well. I'm no crypto export but I know enough about it to remember how CRC-32 is a weakness of the SSH 1 protocol.
I have since set up freeswan and am happy with it even though I really don't understand IPsec that well I think it has been more closely scrutinized.
So yeah, the author is probably right when he calls it the open-source PPTP... I don't see what it has to do with open-source or closed-source, although with open source it was easy for me (and the author) to gauge the quality of the code and avoid it.
Re:CIPE is a toy (Score:4, Informative)
First, the CRC32 problems only put it on par with ssh 1. Which is still in use by many people I suspect. ok it should have been fixed.
The padding iisue just means that aes cant be used. afaik cipe doesnt let you change ciphers anyway. Its not that bad - the algorithms it uses are probably safe for a few more years. Plaintext size leaks small amounts of information, so it is not best practise, but not fatal. aes would be nice though.
The message sequence issue (replay etc) is on the face of it rather bad, except that cipe is designed for carrying ip traffic. Repeating or removing udp messages is fine, and tcp messages do have sequence numbers. So I fail to see how that is a problem.
And the key exchange is fairly irrelevant as it is basically a private key protocol. They key exchange stuff was an afterthought and I doubt if anyone uses it. Designing public key encryption is much harder and cipe should have stuck to private key.
You can't just slap together a security package. (Score:3, Insightful)
One can browse a manual on the topic and write an implementation that technically works (when paired with a similarly shoddily-designed decoder), but be fully unaware that the pseudorandom generator is just that. Or that the ones-complement portion of the crypto engine fails when X=0, weakening the whole thing by sixteen bits while not producing garbage.
Unlike a crappily-designed game, it's a lot harder to spot when crypto goes wrong. And most of those thousands of eyes supposedly peering over the code aren't looking that hard.
I'd still contend that commercial crypto has had more and bigger flaws overall, but he's right that the open source process alone isn't going to give you good crypto.
+5 Funny? (Score:3, Insightful)
Apparently your posting strategy went something like this:
Ironically, your post made for the better demonstration of the problems inherent in the Slashdot moderation system.
Do you have a
Re:+5 Insightful? (Score:3, Insightful)
Denied, lame (Score:2)
Issues... (Score:2, Informative)
#1 Links to URLs not on standard ports stink. I'm stuck behind a very strict http proxy.
#2 Links to message lists stink to. The location of the content is not obvious. Maybe the offport link contains some valuable information.
#3 I did find the message that is the topic of this post. The material in the message seem very "dated".
Software popularity (Score:5, Insightful)
Re:Software popularity (Score:2)
I don't know anyone running Linux using anything other than SSH/SSL or IPSec tunnels for VPNs.
Demolishing a house of cards isn't exaclty a difficult task.
Hell, the beta's for Red Hat Enterprise AW3 have IPSec tunnel wizards. IPSec is probably where it will all be at for a while -- it is lower down on the stack than SSH and while can be a bitch to configure, once done is pretty transparent to applications.
Ah.... reminds me of the early days. (Score:3, Insightful)
Things like this will get fixed when the people maintaining the packages start doing the gruntwork that gets those little bits enterprise grade- in other words, doing the hard, annoying, pain in the ass shit that you pretty much have to get paid to do, because nobody wants to do it in their free time. Big bonus points to open source software companies for making a BIG effort to do exactly that.
Re:Ah.... reminds me of the early days. (Score:2)
Re:Ah.... reminds me of the early days. (Score:2, Funny)
Re:Ah.... reminds me of the early days. (Score:2)
Well, if it's any consolation, I've only been Aware of Linux since 1998, and didn't start attempting to use it until 2000. Now it's a daily thing for me, and a critical part of my network operations.
Hot News (Score:4, Funny)
In other news, Bear shits in woods.
Of course, the more obscure package, the more bugs (Score:2)
That's why I hate it every time there's an exploit in a major package and some people go "Switch to our pre-alpha sourceforge package that's *so* much better and safer". Maybe because a bunch of crackers/hackers/developers (usually in that order) haven't looked it over and found the subtle
So some OSS crypto products suck... and? (Score:5, Insightful)
The security and cryptography field just highlights the problem because there are so many opportunities to do something particularly stupid in those fields. Anyone can write a cryptosystem that they can't break themselves. Unfortunately a lot of people figure if they can't break it, then neither can anyone else...
Jedidiah
Re:So some OSS crypto products suck... and? (Score:4, Insightful)
Like is highlighted in the article, these problems with "dodgy" software tend to arise when the author decides to reinvent the wheel, but neglects the tire and the axle grease.
Everyone wants to make a name for themselves by being the next Richard Stallman, rather than working on the established products with comprehensive peer review and years of code history. Why write new protocols that are doing the same thing that SSH is doing? It's nonsensical.
There's usually very little real reason to create these abominations. If an existing project doesn't have a feature you want and you're capable of coding it, for God's sake, code it to work with the existing product. I'm willing to bet that the guys behind these protocols got flat-out laughed at by anyone doing real cryptography work, but still somehow felt that they were right all along.
Re:So some OSS crypto products suck... and? (Score:2)
Sorry, I should have been clear. I wasn't trying to imply that this was something bad about OSS, merely that just because you found some bad OSS doesn't mean all OSS sucks. Just because you found some particularly poor text editor doesn't mean OSS doesn't produce good text editor. Just because you found poor Crypto doesn't mean that OSS sucks at Crypto.
As you point out, I
my two cents (Score:4, Insightful)
As for this project (CIPE), I personally have never heard of it. Indeed, neither has the poster from that mailing list: A friend of mine recently pointed me at CIPE, a Linux VPN tool that he claimed was widely used but that no-one else I know seems to have heard of.
vtun and ssh (Score:5, Insightful)
Just turn off vtun encryption and use it via a ssh tunnel. That works very well (i use it for securing wifi) and uses a proven protocol.
I also believe this is good practice and should be a widely accepted policy - re-use of good and proven software is not lame - it is crucial for easy, fun and secure software development. There really is no need for re-inventing the wheel.
Now if only ssl were so integrated into the operating system that i could use select() on a ssl-socket created with socket(), and thus making writing of ssl-enabled apps as easy as non-ssl-enabled ones, that would be great!
Re:vtun and ssh (Score:3, Informative)
It also offers a couple of other advantages. Combined with SSH, it's actually secure when punching through a NAT'ing firwall (IPSec isn't since AH and NAT don't co-exist) and it's capable of tunneling at layer 2, so you can tunnel non IP network protocols (It can emulate a serial connect
ssh for tunnels is a bad idea (Score:3, Informative)
Of course, the author of that article went on to write CIPE, which is one of the problem protocols under discussion.
I use freeswan IPsec [freeswan.org] for securing wifi. The biggest problem with IPsec is that it suffers from "committee bloat" and is very complicated to use. Freeswan partially mitigates this complexity by implementing only a narrow subset of the RFCs (in fact, it is not even RFC compliant, because they deliberately
So use a Linux IPSEC implementation instead (Score:5, Informative)
openvpn is much better (Score:5, Interesting)
openvpn [sourceforge.net]
It was created a while back when all the other linux vpn products were not that great, and it seems like thats still the case.
vtun (Score:2)
Anyone out there up for the challange? (I'd try, but I'd have no idea where to even start!)
Re:vtun (Score:2)
Well. VTun doesn't try to be the MOST secure tunneling software in the
world, it tries to be fast, stable, rich of features, easy to use
and secure enough instead.
VTun uses Challenge Based Authentication and doesn't transfer passwords
in clear text. Encryption module uses MD5 for 128 bits key generation
and BlowFish algorithm for actual data encryption.
There could be some weaknesses in key generation method, we will try
to address them in future rel
Well put (Score:2, Redundant)
One particular quote:
pretty much sums up the rest of the post.
Well duh? (Score:2)
With open source the users can migrate without a penny to something more secure. The difference as i see it is that you can choose what authentication/web/shadowing/crypt you want by yourself and you are not in the hands of someone else. You are responsible f
from the VTUN page : (Score:4, Interesting)
1.23 Can I use vtun over SSH ? Yes, via the port forwarding feature of ssh. Don't enable vtun's encryption as ssh does its own encryption. Also, make sure to select the tcp protocol as SSH can forward tcp but not udp. An example session might look something like this: home$ ssh -L 5000:localhost:5000 work.megacorp.com (authenticate if necessary) work$ vtund -s home_tunnel_config
Now, having said that, I use VTUN and haven't had any problems. But then again, I also have the boxen firewalled to hell and back, no services allowed but SSH from a few known hosts, no root SSH, etc. So even if you do crack my key, you're not getting much that will get you anywhere.
While I don't consider it the most secure tool, it does the trick well enough for now. Kudos to the VTUN team, and kudos to Peter for his examination.
vtun security: ssh (Score:2)
I also always turned off security on it - it's primary purpose was always to be a tunnel solution, not so much a security tool. What's more, I don't open any more ports on my server than I need to - I bet there are buffer overruns in vtun...
I always tunel vtun over ssh. Problem solved.
I need to look into openvpn (http://openvpn.sourceforge.net/).
Talk about stating the obvious! (Score:4, Insightful)
The point is, that with open source you can see just how insecure or secure a particular product is by looking at the code.
Open source is inherently no more secure than closed source software. The difference is people like "Peter Gutmann" can see what is wrong and be at the ready with suggestions how to fix it.
I think I see why these haven't been fixed. (Score:5, Informative)
Rating: 8.35/10.00 (Rank N/A)
Vitality: 0.01% (Rank 4941)
Popularity: 2.72% (Rank 1001)
VTUN
Rating: 8.55/10.00 (Rank N/A)
Vitality: 0.02% (Rank 2787)
Popularity: 2.69% (Rank 1017)
Neither of these projects are dead, quite, but neither is terribly active, either. Sourceforge shows one developer for CIPE, for example.
As an earlier post said, crypto demands skills which aren't generally available, in an unusual combination. Many competent eyes make bugs shallow. Many competent coders make bugfixes quick. It looks as if those packages haven't drawn the competent eyes and coders yet.
Maybe Mr. Gutman's post will draw some good folks who are able to do the work to these projects. Or maybe it will inspire the maintainers to simply let them fade away. Either way, we're better off for his efforts.
A third possibility is that folks will just not care. Gutman tells us:
This kind of thing needs to be fixed or abandoned; bad security is worse than no securityRe:I think I see why these haven't been fixed. (Score:3, Interesting)
CIPE is nice... (Score:2)
I hope the flaws are fixed.
Freeswan? (Score:2)
the conclusions mostly do not follow (Score:5, Interesting)
The first big difference between OSS and commercial products is often that commercial products want to either invent a new proprietary protocol, or, for marketing reasons, push an obsolete protocol as a new innovated protocol. Both of these leave end users insecure. However, since everything is proprietary, there is no way for the user to know the level of insecurity. And, if we may drop names like in the article, Scheier lists a new company nearly every month who tries to push crap as security, though he has gotten so annoyed that he has skipped months of late.
And to drop the name again, Schneier, has spent his time of late trying to convince people that security is so much more than protocols. The protocols must be implemented in code correctly and deployed correctly. Unless one is a huge national agency with a classified budget and decades of security experience, it is unlikely that one can create a secure product. It is much better to make the code public so that interested parties can investigate. It doesn't mean they will.
The two of these combine in interesting ways in closed software. There are claims of 1,000,000 bit keys. There are situation in which security by obscurity is used as the first line of defense. There are situation in which the DCMA is used as the first line of defense.
Which is just to say that conclusion #1 and #2 does not follow from the text. Just because one finds a few packages that are out of date in OSS, does not mean that finding a few updated packages in closed source software are more secure. Conclusions #3 and #4 are trivially valid, and applies to anyone writing software in any model. All programmer should take the advice to heart, especially if they want to design a right management system using closed protocols.
"Linux" Packages (Score:4, Informative)
Of course, none of them are GNU packages, either . .
OTOH, tinc does have a linux.org homepage, but then it seems to not be "Demolished" by any reasonable definition. He says "This is a terrible way to use RSA, and usually compromises the key." and I'm no crypto geek, but I think what he means by "compromises" is "provides and avenue of attack that is mathematically simpler than brute force against the key" not "reveals the secret".
So, two seemingly abandoned projects are suspect, and one relatively arbitrary (but Open Source!) package has a theoretical weakness.
All that said, my question is: What has been demonstrated (or demolished)?
-Peter
Re:"Linux" Packages (Score:3, Informative)
This is open source working, people (Score:4, Interesting)
This is great information, and while it might not reinforce the 'open source uber alles' message, it is very useful to anyone who might be considering working on these or similar projects, as well as anyone that uses them.
Even if Mr. Gutmann says these products can't be completely fixed, at least the authors can improve them now based on his comments, and just because this guy says it can't be done, doesn't mean it is gospel.
I say a big thank you to Peter Gutmann (a fellow kiwi, alright!) for taking the time to write this and help to improve the state of open source security products.
The Real Problem (Score:5, Interesting)
We do not have an effective method of running a stateless cryptosystem, but IP actually does require stateless operation. All these mini-systems that have sprouted up exist because of this.
SSH(which, incidentally, violates Guttman's rules by using "the same key for encryption and authentication") and SSL(which utterly falls apart when the cert gets compromised) both run over TCP. TCP is not IP. TCP adds reliability, through error detection, correction, order management, and congestion management. That's all well and good, but sometimes I really don't care when I drop a packet. Voice traffic is a fantastic example -- by the time the retransmission is complete, the data is stale and irrelevant. But TCP will not only stop to retransmit, it'll hold up everything else while it does so, and even slow down the connection to be sure a dropped packet doesn't happen again.
There are _many_ protocols which can accept these semantics. But there are many that cannot, and there's a bigger problem: By supporting those protocols that do not share the connection semantics of TCP -- DNS, VoIP, etc -- we end up being forced to carry either GRE or PPP packets over the SSL/SSH tunnel -- and inside these PPP packets, that are being carried by TCP, is more TCP.
This doesn't work very well at all -- effectively, both sockets attempt to simultaneously adjust to changing network conditions, and since neither knows about eachother, they both screw up badly.
All because we do not have a stateless cryptosystem that works. It may very well be that such a demand is impossible. Stateless cryptosystems can send a message and not only not prenegotiate a session key, but tolerate large number of dropped packets. Replay attacks need to be suppressed, but packets need to be able to survive high latencies. CPU load needs to be kept reasonable, but no message can rely on the asymmetric results of another.
In short, normal cryptosystems are built to be inflexible to attackers; we do not know how to make them simultaneously flexible for networks. The reasons why should be obvious -- anything that can go wrong on the network, will go wrong because of an attacker. So telling everybody to use SSH/SSL is ultimately code for, "We just don't have the crypto to secure IP." And we know IPSec is a failure; if it hadn't been for VPN's, it'd be as rare as multicast and a hundred times more expensive.
Solutions? I suspect short signatures will ultimately make the difference, as will better time-based protocols (at least for intra-admin-domain work.) But no matter how high my opinion is of Guttman, I cannot ignore he considers solved problems that fundamentally refuse to go away.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. There is an immediately available VPN solution that's free and doesn't suffer from TCP-over-TCP effects. Look up Dynamic Forwarding for OpenSSH
Peter Gutmann and tinc (Score:4, Interesting)
In some more detail: the 32 bit predictable IV might make the other 32 bits of the first encrypted block more vulnerable, but the other 32 bits of that block only contain part of a MAC address which does not reveal any important information. It does not compromise the other blocks AFAIK, and in fact a sequence number instead of an unpredictable random number is more secure according to Jerome Etienne, who has done a much more detailed security analysis of tinc in the past.
The messages encrypted with RSA are indeed not padded, but padding is, AFAIK, only necessary when the message is shorter than the RSA key. In our case, the message is exactly as long as the RSA key.
Peter Gutmann believes there is a possible MITM attack ("Chess grandmaster attack"), but hasn't shown us how, just that he believes it's there.
Peter Gutmann also believes tinc has to be configured identically on each endpoint, but that is not true at all.
We're still in discussion, and if we believe there is really a problem we will fix it. In his conclusion Peter says that everyone should be using SSL or SSH. We could, but I don't believe SSL is necessarily the be-all and end-all of encryption.
Re:Arm chair security experts (Score:2, Insightful)
Re:Arm chair security experts (Score:5, Insightful)
Re:Arm chair security experts (Score:5, Interesting)
Why didn't he just shut up and do something?
Can someone tell me when expertise, perception and wisdom became "worthless"?
"Excuse me sir, but did you know that your door lock is faulty?"
"Hey, don't give me none of that talk mister. Just shut the hell up and fix my lock. OK?"
"Listen. . . asshole. I didn't design the lock, I didn't make it and, more to the point, I'm not the jerk who put it in your door. It's your design, your lock and your door. You fix. Now FOAD."
Open source is about sharing, not about making the other guy responsible for your cockups.
KFG
Re:Arm chair security experts (Score:5, Informative)
Gutmann deserves kudos, you twit (Score:4, Insightful)
Absolutely absurd. I can't believe you wrote this. People who are good at writing code donate code to free software projects. People who are good artists donate art to free software projects. Yet, somehow, when a noted cryptographer does a (somewhat acerbic) security analysis of *three* open source packages and lists fixes, somehow you feel that he hasn't contributed anything.
Incidently, I'm curious if you're aware exactly how much it would cost in consulting fees to get someone like him to sit down and review a given product. This guy contributed a lot more in terms of intellectual value to those three projects than the forty-five people that sat down and wrote five-line patches to remove gcc warnings (not that their work isn't appreciated, but still).
He deserves our thanks, not scorn.
Re:I think... (Score:2)
The quality of open source software is directly related to its desirability / popularity, in general.
things like ssh, pgp, and mozilla are pretty high quality, and have fast turn arounds on bugs. Not perfection, but quite efficient.
Re:Well... (Score:3, Insightful)
This crap got modded up??? I felt sure when I first saw the comment that it would it -1 at mach 3. Especially in light of articles like this one [slashdot.org].
Not only that, but if you think about it, blaster and slammer and all those thing... They
Re:Well... (Score:5, Insightful)
1) These holes are far less likely to be in the base operating system implementation, as the OSS mantra is generally to put as much logic in user-space as possible.
2) These holes won't be covered up and released only after the vendor has decided to let us know about them.
3) These holes will be fixed up very quickly (in general, anyway), in individual patches or point releases, without onerous licenses attached to them, and without fear that the release might break the rest of my operating system.
4) Because OSS products use open standards, if one particular package is simply too insecure, at least I can change to another product and have things interoperate (eg, switching from Sendmail to Qmail/Postfix/MTA-de-jour).
Re:Well... (Score:2)
Karma whoring and a gross misrepresentation (Score:2, Interesting)
The "skript kiddies" like hacking Linux & Unix because it's "elite" and has usually has tons of tools like compilers installed. (Also, the Unix community was far ahead of Windows people wit
Re:Well then, fix it! (Score:2, Insightful)
Re:Well then, fix it! (Score:5, Insightful)
If you read the article, his advice is almost every case is "Scrap this, go learn basic crypto, and try again." I don't know crypto at all, but I'm willing to bet that's good advice. And if so, why on earth should he take the job of re-writing CIPE? I think it's great that he's getting the word out that it's insecure. These are the things that should be public knowledge.
Re:Well then, fix it! (Score:5, Interesting)
Sometimes the best thing a programmer in this situation can do is to just declare a piece of software broken beyond repair and just retract the sucker.
I mean, CIPE might have made sense before the widespread availablity of open-source, carefully crafted IPSec software. Now, your best mileage is to provide easy directions for how to build an existing, functional IPSec setup.
Re:Well then, fix it! (Score:2)
These are the things that should be public knowledge...
---
Re:Well then, fix it! (Score:2)
Listen, buddy if everyone in the world actually tried to do something about the things they bitch about, the world would be a much, much better
scarier place!Re:Paragon of good crypto design? (Score:2)
Re:Problem of semantics (Score:3, Interesting)
Well, Peter Gutmann did provide useful insight for the programmers involved in these open source projects. What frustrated him was some of them ignored him, or simply did not know enough about security to understand his comments. That is the kiss of death for th