Firewalls: Re: Encrypted data across national boundaries

Firewalls
(August 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Encrypted data across national boundaries
From:	Ben <adept @ minerva . cis . yale . edu>
Date:	Sun, 13 Aug 1995 19:29:42 -0400
To:	paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Cc:	firewalls @ greatcircle . com (Firewalls List)

At 10:33 PM 8/12/95 -0500, Paul Ferguson wrote:

>Encryption doesn't protect against TCP hijacking. Disconnection does.

Why wouldn't it?

If you've got an encrypted data stream that is ostensibly protected by
strong crypto in which the keys were securely exchanged(D-H key exchange),
then an attacker that was intending to mount a hijack attack would be unable
to forge properly encrypted data or read/sniff encrypted data off the stream.

>I admit that I tend to read 'overkill' into this thread. Man-in-the-middle
>attacks aren't 'likely.' In fact, they'd be darnright rare, unless you
>have been entrusted with the keys to Ft. Knox, and in that case, you
>should be shot for hooking it into the Internet.  :-)

I personally have not seen man-in-the-middle attacks, however, I'm still new
at all of this.  However, it strikes me that if the data were worth enough,
I don't see why it couldn't happen--for example rival brokerage houses that
wanted to get a copy of their competitors data streams...That would
certainly be worth the effort.

For those of you who have been in the INFOSEC field longer than I have, have
any of YOU seen man-in-the-middle attacks?  What was being attacked?  Was it
sucessful?

>Admittedly, there are existing technologies to establish and exchange
>encryption keys at initial communication, however, they are licensed.

Bruce Schneier's _Applied_Cryptograph_ lists the D-H patent as expiring 
April 29, 1997.

>There has been discussion after discussion after discussion of implementing
>a system capable of doing this within the next generation of IP, however,
>I do not believe progress has been made to any measureable extent.

On the Cypherpunks list, Perry Metzger(who I believe also reads this list) has
stated that an RFC for the next gen of IP which will incorporate link
encryption is
almost ready.

Ben.
***********************************************************************
Ben Samman					     Samman @
 cs .
 yale .
 edu
I'm on vacation now, so e-mail will recieve a latency of +/- 24 hours.
		PGP Key available from keyservers

Follow-Ups:

Re: Encrypted data across national boundaries
From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)

Indexed By Date	Previous:	Re: Encrypted data across national boundaries??? From: smb @ research . att . com
Indexed By Date	Next:	Re: Encrypted data across national boundaries From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Thread	Previous:	Re: Encrypted data across national boundaries From: Ted Doty <ted @ kgbvax . network . com>
Indexed By Thread	Next:	Re: Encrypted data across national boundaries From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)