lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat Nov 26 19:51:39 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: IPsecurity theater

On Sat, Nov 26, 2005 at 07:35:34AM -0800, coderman wrote:
> On 11/26/05, Joachim Schipper <j.schipper@...h.uu.nl> wrote:
> > I fully agree. But if you only want to accept traffic from trusted,
> > authenticated sources, it's about as close to that as you can get.
> 
> what i'd like a key daemon to do:
> - create or import a symmetric key database (hardware entropy++)
> - for encrypted key databases prompt for authentication
> - enter SA's according to key schedule associated with db
> - invalidate used keys and securely delete them from db
> you can assume that key distribution details are covered.
> 
> what i don't what it ever doing:
> opening a public network socket and listening to unauthenticated
> traffic (ISAKMP).

No need to run a daemon for all that. Just use gnupg for the encryption,
setkey (linux/KAME), ipsecctl (OpenBSD), or whatever your OS of choice
uses to set up keys, and a couple of cron jobs to read the database and
invalidate old keys.

Not quite as trivial as the above makes it out to be, of course, and all
hell will break loose if you ever have a big clock skew, but outside of
that, I don't see why it wouldn't work.

		Joachim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ