North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Deepak Jain
  • Date: Sat Apr 29 00:22:53 2000

> Why that whole song and dance?  The idea is to approximate a
> cryptographic property known as "perfect forward secrecy".  Perfect
> forward secrecy says that if, some time in the future, your machine
> is compromised, the enemy can't read past traffic.  In this case,
> since that RSA key pair is discard hourly, and that is the only
> key that can decrypt the session key, our old traffic is protected.
> It's only readable if the machine is penetrated while that key is
> live.

Since we are going into a description of cryptography, we might as well
bring up that since the random number generator used to generate the
supposedly random RSA key pair _is_ predictable, the whole idea of perfect
security is improbable at best; the exercise does make it difficult for
people with only a casual interest in your operations to directly
compromise them.

For those who are paranoid about their serial cables traversing shared
trunk space, there are inline 3DES (and other algorithm) serial line
encryptors that will effectively mask your traffic if you are worried
about direct (conductive) or indirect (inductive) tapping.

When deciding on how much energy and effort one wants to spend on securing
a network, especially if one doesn't want to actually learn the underlying
technology (and who would?), it helps to identify the enemy. Is it a
foreign government or just a 12 year old? If its the former, you shouldn't
be in public colo space (at the very least) and if its the latter, how is
he getting into the colo in the first place?

Deepak Jain