[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9AD9D61578B84144912BCB44CBEF9EAD0700E7B1@usnssexc03.us.kworld.kpmg.com>
From: kenng at kpmg.com (Ng, Kenneth (US))
Subject: [inbox] Re: Cisco LEAP exploit tool...
Depends on what kind of break you want. If you want to break into the
connection (ala add/modify/delete traffic in real time), yes a 10 minute
cycle time makes it difficult. If all you want is the data afterwards (ie:
see the login id and password), then all the 10 minute cycle time does is
force you to do multiple breaks. But, the login and password are almost
always in the start of a connection, so that is all you need to break.
Outside of quantum crypto and one time keys, nothing is unbreakable. Its
just a matter of time and resources. The tricks are to make them
prohibitive, and make sure there is no back door like looking at power
consumption. And I kind of wonder if there is anything in superstring
theory that could cause problems with quantum crypto.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Dave Howe
Sent: Wednesday, April 14, 2004 11:19 AM
To: Email List: Full Disclosure
Subject: Re: [inbox] Re: [Full-Disclosure] Cisco LEAP exploit tool...
Curt Purdy wrote:
> Agreed. If the packets/hashes can be accessed it can be compromised.
> "Unbreakable" has been touted from the 48-bit Netscape encryption
> that took USC's distributed network a week to crack, to Oracle 9i
> that took one day to compromise, I believe.
You are preaching to the choir there - however, my boss is preferring to
believe the consultant's claims that the 10 minute key cycle (communicated
by TLS) makes the system unbreakable.... so it doesn't need to be on a DMZ
and can work "just like they were on the lan"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
Powered by blists - more mailing lists