[Cryptography] Fwd: freedom-to-tinker.com: How is NSA breaking so much crypto?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Oct 17 08:33:03 EDT 2015


Paul Wouters <paul at cypherpunks.ca> writes:

>Their measurement of 66% of VPNs are using weak DH is also based on a wrong
>assumption of NO_PROPOSAL_CHOSEN. I did a write up on that:
>
>https://nohats.ca/wordpress/blog/2015/10/17/66-of-vpns-are-not-in-fact-broken/

Actually that would be one caveat to apply for the paper, never underestimate
the brokenness of commercial/proprietary IPsec implementations (the Cisco
example you give is just the tip of the iceberg).  Things were particularly
bad with IKEv1, which was so hard to configure that vendors invented their own
management tunnels to bypass it, typically exquisitely homebrew protocols that
made every beginner mistake in the book (the worst I encountered was single
DES in ECB mode, with the "tail" (their words) of each message unencrypted
because it wasn't a multiple of 8 bytes, and the key being the shared password
used to set up the tunnel).  That could be another candidate for the NSA's
magic breakthrough, vendor homebrewed management tunnels.

Peter.


More information about the cryptography mailing list