[vpn] VPN - encryption

Christopher Gripp cgripp at axcelerant.com
Fri Nov 16 15:46:56 EST 2001


I agree a VPN across the Internet without encryption is seriously
flawed.

I agree  Diffie-Helman is an algorithm.  Just not a HASHING algorithm.
As for the the explanation of how it works, not needed, but I appreciate
your ability to cut and paste.




Christopher Gripp 
Systems Engineer 
Axcelerant

"Never tell people how to do things. Tell them what to do and they will
surprise you with their ingenuity."

-General George S. Patton

  

  





-----Original Message-----
From: Loki [mailto:loki at fatelabs.com]
Sent: Friday, November 16, 2001 12:50 PM
To: Christopher Gripp; vpn at securityfocus.com
Subject: Re: [vpn] VPN - encryption


Please accept this as constructive criticism rather than trying to start
a 
thread war over relative definitions of what a "vpn" is. But I do not 
understand why someone would deploy a VPN without ensuring encryption of
the 
data.

Also, Diffie Helman is actually defined as an algorithm: I quote Bruce 
Schneir:

"Diffie-Hellman is a fairly simple two-step key-exchange technique. Two 
parties each generate a random value and apply the first step in the 
Diffie-Hellman ___algorithm___. They exchange the results of these 
calculations and apply the second step calculation. This results in each
side 
creating the same final value in a secure manner. The public values are
g, 
the generator, and n, a prime value. The final result created by both
parties 
is often referred to as Z. If you read the appendices in the WTLS specs
you 
will find two entries with a predefined g and n for the WTLS
Diffie-Hellman 
__algorithm___ implementations. 
>From "Applied Cryptography" by Bruce Scheiner: 

The math is simple. First, Alice and Bob agree on a large prime, n and
g, 
such that g is primitive mod n. These two integers don't have to be
secret; 
Alice and Bob can agree to them over some insecure channel. They can
even be 
common among a group of users. It doesn't matter. 

Then, the protocol goes as follows: 

(1) Alice chooses a random large integer x and sends Bob 

X=(g**x) mod n 

(2) Bob chooses a random large integer y and sends Alice 

Y=(g**y) mod n 

(3) Alice computes 

Z=(Y**x) mod n 

(4) Bob computes 

Z'=(X**y) mod n 





On Friday 16 November 2001 03:36 pm, Christopher Gripp wrote:
> Just a minor correction so as not to misinform anyone.  Diffie Helman
is
> NOT a hashing algorithm.  Diffie-Hellman is a key agreement algorithm
> used by two parties to agree on a shared secret.
>
> MD5 and SHA1 are the 2 most common in use today.
>
> As for the statement that 'encryption is what makes a VPN'  Well...  I
> and others disagree but, you can have your opinion.
>
>
>
>
> Christopher Gripp
> Systems Engineer
> Axcelerant
>
> "Never tell people how to do things. Tell them what to do and they
will
> surprise you with their ingenuity."
>
> -General George S. Patton
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Loki [mailto:loki at fatelabs.com]
> Sent: Friday, November 16, 2001 11:20 AM
> To: vpn at securityfocus.com
> Subject: Re: [vpn] VPN - encryption
>
>
>
> Ranj,
>
> Heh, uhm emphasis on "a bit about" ;) ... The two don't contradict
each
> other, rather, encryption is what makes a Virtual Private Network.
Based
> on
> the definition: "A Virtual Private Network extends a local area
network
> to a
> remote location or traveling user through an encrypted tunnel.
Utilizing
>
> different protocols like IKE, hashing algorithms such as
Diffie-Helman,
> and
> (3) Triple DES and/or single DES encryption , etc. you accomplish this
> task.  
> So you can't exactly have a VPN without encryption :) I hope this
helps
> to
> clarify VPNs for you. If not, there are several good whitepapers at
> (marketing plug here) www.fatelabs.com and vpnc.org :)
>
> Loki
> www.fatelabs.com
>
> On Friday 16 November 2001 12:22 pm, Ranjbar Hassan wrote:
> > Hi
> > I've read a bit about VPN on different sites. My question is :
> > What is the relation between VPN and encryption? Is it possible to
> > have VPN without encryption? is encryption with VPN optional or a
> > must?
> >
> > Best regards,
> > Ranj
> >
> >
> > VPN is sponsored by SecurityFocus.com

-- 
==============================================
Loki
Founder, Chief Research Scientist
Fate Research Labs
United States VPN Division
----------------------------------------------------------------
[w] http://www.fatelabs.com
[e] loki at fatelabs.com
[p] 412-303-3115
==============================================

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list