[VOIPSEC] FWD - Hotel and Wfi Insecurity, including SIP

Hallam-Baker, Phillip pbaker at verisign.com
Mon Nov 21 12:13:41 CST 2005 

I never got to go in the anti-gravity chamber at CERN either...

The point about computer cryptography is that the work function is
asymmetric. If the defender does n+1 units of work the attacker needs to
perform doubles. If n is sufficiently large the code cannot be broken by
brute force. With 256 bit keys we are talking about brute force work
factors that are beyond any computer that can be built from an earth
sized pile of atoms before the sun turns into a red giant and vaporizes
the planets.

Quantum cryptanalysis changes the game but not by as much as people
think.

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Jon Callas
> Sent: Monday, November 21, 2005 11:30 AM
> To: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] FWD - Hotel and Wfi Insecurity, including SIP
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 21 Nov 2005, at 6:07 AM, Philip Walenta wrote:
> 
> > I never meant to imply that the digest SIP uses was 
> insecure, merely 
> > that by doing a little social engineering, it can be broken 
> like many 
> > other passwords due to user habits.
> >
> > Will there ever be something "totally unbreakable"?  
> Possibly, but not 
> > in our lifetimes IMHO.  As CPU speed increases, brute-force becomes 
> > easier to do.
> >
> 
> Yes, but there are ways to deal with that. For example, you 
> can salt the hash function, which makes dictionary searches 
> harder. You can also iterate the hash function so that you 
> slow down the search speed.
> 
> Look at section 3.6 of <http://www.ietf.org/rfc/rfc2440.txt> 
> and you'll see all of these things. In the "iterated and 
> salted string-to- key specifier" you can specify along with 
> your password how much to iterate. This means you can 
> actually redo someone's password dynamically to compensate 
> for increasing CPU speeds.
> 
> > I just read a fiction book written by Dan Brown (author of the Da 
> > Vinci Code).  It was named "Digital Fortress" where the central 
> > premise is that the NSA has a 3000 CPU system that can break any 
> > encryption in like 6 minutes, and then a guy comes up with 
> some sort 
> > of encryption with a mutating key which fouls the whole thing up.  
> > Given that I'm not a cryptographer, I don't know if this is 
> even close 
> > to possible, but I would surmise that a mutating key could 
> possibly be 
> > the only possibility at a truly uncrackable scheme.
> 
> Well, um, forgive me for being a smart-ass, but does this 
> mean I can bring up Dick Tracy or a Bond movie in other 
> discussions of VOIP?
> 
> Digital Fortress is a great read, and there are parts of it 
> that are very insightful. There are parts of it that make me 
> want to scream, "no, no, no!" as well. This is somewhere in 
> the middle.
> 
> Keys are data. Data does not mutate. If you constructed a 
> system in which your key was code rather than data (and 
> actually self-modifying code), then you'd have something 
> similar to what he's describing.  
> It's very cool to hypothesize a security system in which the 
> security objects are bits of self-modifying code. But it's so 
> cool that it's a really bad idea; no sane person would do 
> that. On the third hand, this wouldn't be the first time that 
> someone would design a cryptosystem that an outside reviewer 
> might comment, "no sane person would do that."
> 
> 	Jon
> 
> - --
> Jon Callas
> CTO, CSO
> PGP Corporation         Tel: +1 (650) 319-9016
> 3460 West Bayshore      Fax: +1 (650) 319-9001
> Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
> USA                          28b6 52bf 5a46 bc98 e63d
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 2.0.3
> 
> iQEVAwUBQ4H2FrveU3tlJIqaAQjzvQf/Vky3LNSUaOZyQq74MkuqedeZuEUd2WqV
> ROnycbUNrQRNVXTnTiVXDxb4WdHa8+CI3eNKfrzBv3EtiFyZYwOOFBtsFOD8W+j3
> Zr3zlqH9UrHDdSimobcdyDwByFQHnqTDyytR/ZMWdsqoVKZRpgvcAZDEqrP+/MiE
> 8Fb4nQpQkaDpA4IcNyDBnlDtXyezzzOmBlLvXF+y08Kx6Hn+w2GiTj2Qxqc53SAv
> apRPsD1O9wIdkY5GP0JqtOGslFlGJ+liazONg1qcDv79VJdvtXfBHjgsiDRKgjBj
> jds9SygFAggjL6k0bwzIanAANZiyC94czngdz80L2gSCjg77c8u0ww==
> =wetH
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
>

More information about the Voipsec mailing list