On Apr 8, 2012, at 7:30 43AM, ianG wrote: > On 6/04/12 10:57 AM, Steven Bellovin wrote: >> >> On Apr 5, 2012, at 5:51 10PM, James A. Donald wrote: > >>> So I think that pretty much everyone has already heard that MS PPTP is >>> insecure. Every time I set up a vpn, I am re-reminded, just in case. >> >> >> "Don't use cryptographic overkill. Even bad crypto is usually the strong >> part of the system." Adi Shamir, 1995. >> (http://www.ieee-security.org/Cipher/ConfReports/conf-rep-Crypto95.html) > > > All hail the great A5/1 and lesser spawn. > > Seriously though, we suffer tremendously in this industry from overkill. > Studying the biases in the field would make a great cross-over PhD in > psych-CS-crypto-business. Is there anyone amongst us who hasn't chortled > with glibbity and glee when some despised crypto system falls to a pernickity > academic attack?
Sure -- and I (and many others on this list) have worked hard for good, secure crypto standards. But thinks like PPTP, even when flawed, have survived for a reason. Often, the reason is that they're far more *usable* than the stronger alternatives. Let's take openvpn, which some others have spoken favorably of in this thread. Consider http://openvpn.net/index.php/open-source/documentation/howto.html (and especially http://openvpn.net/index.php/open-source/documentation/howto.html#examples), the "official" starting points. Then contrast that with what a typical sysadmin has to know to set up PPTP. Yes, I understand why openvpn has a harder job, though I do think that a fair amount of the complexity could be hidden by (a) a bit more management software, and (b) the developers making certain decisions (and hence taking them away from the sysadmin). Both of those take a great deal of taste to do correctly, of course. IPsec is often worse. Take a look at, say, http://www.freebsd.org/doc/en_US.ISO8859-1/articles/checkpoint/racoon.html, or the man page at http://www.linuxmanpages.com/man5/racoon.conf.5.php . There's a fearsome amount you have to wade through just to decide that you don't need to touch, say, the "nonce_size" option. More substantively, how many hours will it take the typical sysadmin to understand the description of the "generate_policy" option? So -- you're the typical sysadmin. You can spend many hours trying to understand all that stuff, or you can click through a very few screens and get crypto that will certainly deter the casual adversary at the local hotspot, will block even the NSA's vacuum cleaners -- and if you're targeted, might not be the weak point after all, since exploiting bad crypto depends at a minimum on actually picking up the traffic of interested, while a host exploit is always there. Yes, the algorithms and protocols can be very important, especially if you have serious enemies. They're also more fun for many folks (myself included) than the really hard engineering and development work to make the thing usable. They're orders of magnitude more fun than the arguments in standards bodies to agree on what is really necessary as an option, as opposed to something that most people don't want but some vendor insists has to be there for 2.71828% of their customer base. --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography