|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ABOVE.NET SECURITY TRUTHS?
> Why that whole song and dance? The idea is to approximate a > cryptographic property known as "perfect forward secrecy". Perfect > forward secrecy says that if, some time in the future, your machine > is compromised, the enemy can't read past traffic. In this case, > since that RSA key pair is discard hourly, and that is the only > key that can decrypt the session key, our old traffic is protected. > It's only readable if the machine is penetrated while that key is > live. Since we are going into a description of cryptography, we might as well bring up that since the random number generator used to generate the supposedly random RSA key pair _is_ predictable, the whole idea of perfect security is improbable at best; the exercise does make it difficult for people with only a casual interest in your operations to directly compromise them. For those who are paranoid about their serial cables traversing shared trunk space, there are inline 3DES (and other algorithm) serial line encryptors that will effectively mask your traffic if you are worried about direct (conductive) or indirect (inductive) tapping. When deciding on how much energy and effort one wants to spend on securing a network, especially if one doesn't want to actually learn the underlying technology (and who would?), it helps to identify the enemy. Is it a foreign government or just a 12 year old? If its the former, you shouldn't be in public colo space (at the very least) and if its the latter, how is he getting into the colo in the first place? Deepak Jain AiNET
|