[cdr] My response to both the analysis of CIPE by Gutmann, Slashdot and the response by the CIPE list
Please allow me to introduce myself. I am neither a CIPE developer nor a cryptanalysis expert. I am however a security consultant who deals primarily in Free/Open Source Software. I have used CIPE in the past as well as other Free/Open/Non-Free products for use in a VPN solutions. I wanted to contribute an outsiders perspective. I first read Peter Gutmanns analysis [1] as linked from Slashdot [2] and later I found the archive for cipe-l [3]. After reading Gutmann's short but to the point email a few points that he made seemed obvious. Some of the flaws were not so obvious. CIPE seemed to have some very simple flaws and some of the fixes were easy to implement. I found a some of it delivered in such a manner that would upset people who were highly vested in the projects he was criticizing. Perhaps it was the comment that I also found to be so amusing, something to do with sound waves. Amusing as it may be, it's still quite harsh. I then read through the posts on Slashdot that declared CIPE to be dead. I found these to be really immature and silly considering the nature of F/OSS. The need for some change is now, not the time for it's funeral. Thanks to the F/OSS method of development this is all very possible. The only series of comments on Slashdot worth reading (IMHO) were by Dan Kaminsky [4]. I also went ahead and read the CIPE FAQ [5]. A few statements seemed a little hard to believe after Gutmanns pointing out of using CRC-32 (as opposed to say SHA1). These really stuck out: To date one case of a potentially exploitable bug has been found, luckily in a version which never was widely used. Another bug has been found which could lead to denial of service attacks. Both have been fixed. [...] As for CIPE vs. IPSEC, they should be equivalent security-wise, with CIPE giving a bit better performance because of the lightweight protocol. Peter Gutmann had stated that some of his findings were actually found years prior, thus the first statement seems to be false. The second statement is just a bald faced lie, unless it was written by someone from a decade ago. The CIPE protocol description [6] says outright that CIPE uses CRC-32 for *integrity protection*. An important statement to take into account from the protocol description: The primary goal of this software is to provide a facility for secure (against eavesdropping, including traffic analysis, and faked message injection) subnetwork interconnection across an insecure packet network such as the Internet. With that said and with the analysis by Gutmann, let's get onto the list. The list I assumed would be delighted to have a professional cryptographer take a look at their tool of choice. I think the going rate for an actual security audit by a trained professional is somewhere around $60,000 (USD). This is a security related tool and as such needs this type of attention. Tools that would not like this type of audit might as well be snake oil. However deep this audit went, it does point out a number of problems. Actual problems that need to be addressed for the users of CIPE and fixes that need to be coded by the developers. Some of them are very valid at the time of writing, some of them are not practical without using a stateless encryption system (as Dan Kaminsky explains in his Slashdot posts). There are (as of this writing time) three major threads on the subject of Gutmanns email. The major first thread has responses ranging from defending CIPE and understanding the authors stated claims [7]. The author of this post creates a nice numbered list to respond to. He misunderstands the statement about CIPE being Linux's answer to MS-PPTP. He also goes on to start questioning Gutmann about things including message insertion. It also extends to a personal attack about Gutmanns ego. The message is then summed up as: The bottom line for me is that CIPE is not less secure compared to many commercial products. The CIPE protocol is not that easy to break as suggested by Gutmann, but the protocol surely has room for improvements. If you enable data compression (CipeX) it is even more complicated to break the protocol: you first need to decrypt to de-compress, and it is extremely difficult to guess the contents of a compressed ip-packet, which guessed content is needed to break the encryption. These statements are preposterous. With an arbitrary comparison to many commercial products, whatever metric that is. That it's hard for someone to break, but that it's still very much possible. Being alright with this is quite amazing. This is a security project. Difficulty is very relative and for Johnny hacker, it might be hard. However an example of making it hard to decrypt by using compression is a great example of misunderstanding. A UDP packet with a static key that has a compressed payload can be replayed over and over and over again. No key required. The compression isn't going to be a secret either right? So it's still going to be possible
Re: Inferno: Akila Al-Hashimi assassinated (fwd)
On Thursday, September 25, 2003, at 10:56 AM, Trei, Peter wrote: Jim Choate[SMTP:[EMAIL PROTECTED] wrote: -- Forwarded message -- Date: Thu, 25 Sep 2003 11:06:45 -0500 (CDT) Subject: Inferno: Akila Al-Hashimi assassinated A representative on the US appointed Governing Council in Iraq has died of wounds from an assassination attempt this past Saturday. She was one of three women representatives on the 25-member council. Strangely enough, we are only hearing word of this assassination attempt today in the West; now that she has in fact died it is newsworthy, I suppose? Or perhaps just inconcealable. I don't have much trust in the US media, but this is nonsense. The assasination attempt was covered by the NYT among others. I heard about it on the radio at the weekend, and it was on Yahoo News. Peter Trei --- http://www.nytimes.com/2003/09/21/international/middleeast/21IRAQ.html BAGHDAD, Iraq, Sept. 20 - In the first attempt to assassinate a member of Iraq's interim government, nine gunmen this morning shot and critically wounded Akila al-Hashemi, one of three women on the governing body, as she was being driven to work by a driver and three bodyguards. Her shooting was widely reported when it happened a few days ago, on CNN, leading newspapers, and presumably on other networks. One of her bodyguards was killed, and her brother was either injured or killed, I don't recall. Lots of footage of her planning to be the first useful idiot, er, politician, to serve in both the U.S.-funded Saddam regime and the U.S.-funded post-Saddam regime. Perhaps these networks and newspapers are not carried on Choate Prime, the parallel world that is strangely different from our own. --Tim May
RE: [cdr] Inferno: Akila Al-Hashimi assassinated (fwd)
Jim Choate[SMTP:[EMAIL PROTECTED] wrote: -- Forwarded message -- Date: Thu, 25 Sep 2003 11:06:45 -0500 (CDT) Subject: Inferno: Akila Al-Hashimi assassinated A representative on the US appointed Governing Council in Iraq has died of wounds from an assassination attempt this past Saturday. She was one of three women representatives on the 25-member council. Strangely enough, we are only hearing word of this assassination attempt today in the West; now that she has in fact died it is newsworthy, I suppose? Or perhaps just inconcealable. I don't have much trust in the US media, but this is nonsense. The assasination attempt was covered by the NYT among others. I heard about it on the radio at the weekend, and it was on Yahoo News. Peter Trei --- http://www.nytimes.com/2003/09/21/international/middleeast/21IRAQ.html BAGHDAD, Iraq, Sept. 20 - In the first attempt to assassinate a member of Iraq's interim government, nine gunmen this morning shot and critically wounded Akila al-Hashemi, one of three women on the governing body, as she was being driven to work by a driver and three bodyguards. [...]
[cdr] Re: CNN.com - House votes for do-not-call registry - Sep. 25, 2003 (fwd)
You are assuming that each phone number represents only one person, which in most cases is incorrect. - Original Message - From: Jim Choate [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 1:53 PM Subject: CNN.com - House votes for do-not-call registry - Sep. 25, 2003 (fwd) 50 million Americans can't be wrong. Let's see, there are 300M Americans...this is a logical flaw, an appeal to the majority when in fact it isn't even a majority. http://www.cnn.com/2003/ALLPOLITICS/09/25/congress.no.call/index.html
[cdr] CNN.com - House votes for do-not-call registry - Sep. 25, 2003 (fwd)
50 million Americans can't be wrong. Let's see, there are 300M Americans...this is a logical flaw, an appeal to the majority when in fact it isn't even a majority. http://www.cnn.com/2003/ALLPOLITICS/09/25/congress.no.call/index.html Now let me make this clear I support the do-not-call list, in fact I believe it should be the defacto and people should have to sign up to be called, not the other way around. Such an approach would resolve the 'unsolicted' issues as well. As usual we have the cart in front of the horse. -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu [EMAIL PROTECTED][EMAIL PROTECTED] www.ssz.com www.open-forge.com
RE: [cdr] Inferno: Akila Al-Hashimi assassinated (fwd)
On Thu, 25 Sep 2003, Trei, Peter wrote: I don't have much trust in the US media, but this is nonsense. The assasination attempt was covered by the NYT among others. I heard about it on the radio at the weekend, and it was on Yahoo News. Thanks, I fed it back upstream. -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu [EMAIL PROTECTED][EMAIL PROTECTED] www.ssz.com www.open-forge.com
Re: [cdr] Re: CNN.com - House votes for do-not-call registry - Sep. 25, 2003 (fwd)
On Thu, 25 Sep 2003, Pete Capelli wrote: You are assuming that each phone number represents only one person, which in most cases is incorrect. No I am not, the fine senator is. Get your facts straight, like who actually says what. -- -- God exists because mathematics is consistent, and the Devil exist because we can't prove it. Andre Weil, in H. Eves, Mathematical Circles Adieu [EMAIL PROTECTED][EMAIL PROTECTED] www.ssz.com www.open-forge.com
Re: DC Security Geeks Talk: Analysis of an Electronic Voting System
At 02:48 PM 9/24/03 -0400, R. A. Hettinga wrote: http://www.cryptonomicon.net/modules.php?name=Newsfile=printsid=463 Cryptonomicon.Net - Talk: Analysis of an Electronic Voting System Someone needs to inject a story about e-voting fraud into the popular imagination. Is Tom Clancy available? Maybe an anonymous, detailed, plausible, (but secretly fictional) blog describing how someone did this in their podunk county... then leak this to a news reporter.. Failure to be *able* to assure that this *didn't* happen in that podunk county would make an important point. On two occasions, I have been asked [by members of Parliament], 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able to rightly apprehend the kind of confusion of ideas that could provoke such a question. -- Charles Babbage
[cdr] Re: DC Security Geeks Talk: Analysis of an Electronic Voting System
On Thursday 25 September 2003 12:46, Major Variola (ret) wrote: Someone needs to inject a story about e-voting fraud into the popular imagination. Is Tom Clancy available? Maybe an anonymous, detailed, plausible, (but secretly fictional) blog describing how someone did this in their podunk county... then leak this to a news reporter.. Think http://aflightrisk.com/. Take advantage of a blog's temporal immediacy and pick an election somewhere. Then chronicle the fraud as it progresses. Failure to be *able* to assure that this *didn't* happen in that podunk county would make an important point. I believe you are correct.
