FW: CISCO PIX Vulnerability

Adam Shostack adam@homeport.org
Tue, 16 Jun 1998 02:34:56 -0400 (EDT)

	In considering the cost/benefit of building such machines, be
aware that if an organization has built one to perform a specific
task, it now has the machine as a sunk cost, and may target you to
keep the machine warm.

	Strong crypto generally costs the same as weak crypto (modulo
export controls).  Use of weak crypto because no one would spend 30k
to target your system is stupid.  When DES came out, cracking it was
probably beyond the reach of even the NSA.  (Although Robert Morris Sr
often reminds us to never underestimate the amount of effort your
opponents will put into cryptanalysis.)  Now, DES is cracked with some
regularity by volunteer groups loosely coordinated over the internet.
DES based systems are going to be with us for at least another 5-10
years.  Buying DES today is stupid, unless you're planning to see the
system crash with a Y2k bug, and need replacement.


Hal wrote:

| This is a crypto question and I guess we should take subsequent posts to 
| alt.cyberpunks.  The thing to watch out for is the slow but steady
| progress being made with unique cracking engines using field
| programmable logic arrays and similar devices. 40 bit keys are
| estimated to fall in one to three hours depending upon the system. The
| cost is around $30-50k, reasonable and within range of many
| organizations.  You should be careful to balance this protection
| against the value of what is being protected.         
| Regards Hal
| Hal@mrj.com
| ----------
| lum@infoexpress.com wrote
| Damir Rajnovic wrote:
| > 
| > Apparently, knowing what bits are fixed will not bring attacker 
| > any additional 'gain' in breaking a DES. At least I was told that by 
| > people from sci.crypt group.
| That statement is true under certain circumstances, but it seems to be taken 
| out of context here.
| DES uses an 8 byte key, of which only 56 bits are used for encryption (8 of 
| the bits are ignored). Because of this, you can take a 7 byte key and by 
| carefully expanding it, you can produce an 8 byte DES key that is just as 
| strong as a random 8 byte key so long as the original 7 byte key is truly 
| random. 
| When using DES with the infamous 40 bit key limitation often mandated by 
| certain governments, vendors must further reduce the 56 bits down to 40 bits. 
| The algorithm used is typically to mask (fix) 16 bits in the 56 bits used in 
| the DES key such that the number of non-fixed bits always adds up to 40 bits. 
| The "privacy" of a 40 bit key does not depend on which of the 16 bits were 
| masked out of the original 56 used bits. The same method can be used to 
| create an effective key length of 48 bits.
| > Another thing is that PIX is using DES in ECB mode. CISCO admits that
| > "....ECB is not generally considered to be the best mode in which to 
| > employ DES,...." but you'll have to live with it. CISCO will not fix
| > that so you'll have to buy future IPSEC/IKE products.
| ECB is the simplest (and most vulnerable) mode available...
| Regards,
| Stacey Lum
| InfoExpress

"It is seldom that liberty of any kind is lost all at once."