[ previous ] [ next ] [ threads ]
 
 From:  Michael Brown <knightmb at knightmb dot dyndns dot org>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] VPN - IPsec break down without changing anything
 Date:  Fri, 04 Apr 2008 10:27:50 -0600
Thanks for the info, it does state that a brute force attack is possible 
(well yeah, true for anything), so I think it still depends on someone 
choosing a better key than "12345" or "<Your Company Name Here>". :-)

It was a good read though, thanks!

David Burgess wrote:
> http://en.wikipedia.org/wiki/Data_Encryption_Standard
>
> Wikipedia states that DH is safe if the keys are well chosen, but makes no
> mention of bit-length.
>
> db
>
> On 04/04/2008, Michael Brown <knightmb at knightmb dot dyndns dot org> wrote:
>   
>> A quick google search didn't find anything to support the "it's not
>> secure" part, I would like to read more about it if you have a link to the
>> information.
>>
>> wmorgan at ffpir dot org wrote:
>>
>>     
>>> It looks like the other end of the connection is only offering to use
>>> DES encryption and a 768-bit DH group. This is _not_ secure, but some
>>> older hardware (notably Cisco) doesn't support anything better.
>>>
>>> I'd start by seeing if you can turn on 3DES or AES encryption and at
>>> least a 1024-bit DH (aka MODP) group on the other end for the phase 1
>>> negotiation.
>>> Wes
>>>
>>>
>>>
>>>
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>     
>
>