Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] routing problem

From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Jul 03 2002 - 19:57:50 CEST

Next message: ipsec_at_empireenterprises.com: "RE: [Users] routing problem"
Previous message: Mario Joussen: "[Users] FreeS/WAN and Windows 2000"
In reply to: Paul Wouters: "RE: [Users] routing problem"
Next in thread: ipsec_at_empireenterprises.com: "RE: [Users] routing problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

> On Wed, 3 Jul 2002, Sam Sgro wrote:
>
> > As well, this setup is less secure: anyone doing traffic analysis of your
> > sites would quickly realise that the encrypted message from 1
> > to 2 is similar in timing and size to the encrypted message from 2 to 3;
> > this actually opens you up to a plaintext attack.
>
> Can't they do the same even if there was just 1 and 2? If you assume they
can
> monitor, they can also do traffic analysis, and try known plaintext attacks.

Let me try to restate that last little sentence fragment with more verbiage.
:) Talking about the increased risk of a plaintext attack:

I'm comparing a tunnel from 1 to 3 versus a tunnel from 1 to 2 and 2 to 3. In
the first case, if I compromise 1, I know nothing about communications between
2 and 3; only 1 and 3 and 1 and 2. In the second case, if I compromise 1, I
now have a vehicle to mount plaintext attacks on the communications between 2
and 3, because I can prompt an encrypted stream of data whose content I
already know (ie, a chosen plaintext attack). In any hub topology system, if I
can find a back door into any one of the nodes, I have a much better chance of
compromising communications on the "spokes" (between the central point and the
rest of the nodes).

Anyhow, that is my understanding of how hub topology can open oneself up for
a plaintext attack. However, upon reflection and discussion, I believe that
3DES is fairly resistant to plaintext attack; traffic analysis is a much
better tool for gathering information on FreeS/WAN communications. However,
considering all these factors can help one practice better "cryptographic hygeine". :)

Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPSM7H0OSC4btEQUtAQF+iQQAjBwLRPZ8YkTGcHay8jwWFzOAIHglsmSu
ZvGaxm9WvTaDa2M5SAz/3D6O9pAO4UWT1AMT6iY06xIS3dWKZnrZnJQIsPvigp0/
CQC9R1nx20OewoNYAwHBxFW5E5nEx7jZ7TCfb1ltCAADRe9epyJcYvjGNxZG/aYA
iMRJhYvyuHc=
=lElq
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: ipsec_at_empireenterprises.com: "RE: [Users] routing problem"
Previous message: Mario Joussen: "[Users] FreeS/WAN and Windows 2000"
In reply to: Paul Wouters: "RE: [Users] routing problem"
Next in thread: ipsec_at_empireenterprises.com: "RE: [Users] routing problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST