[vpn] VPN - encryption

Christopher Gripp cgripp at axcelerant.com
Fri Nov 16 16:24:25 EST 2001 

This is symantecs.  You say you 'never said it wasn't a key exchange',
but you DID say it WAS a hashing algorithm.  It can't be both.
Diffie-Helman implements SHA-1 as it's message digest function (HASH) to
generate an arbitrary amount of keying material.

Why don't you define what a hashing algorithm is for me.  Maybe that
will clear it up.

As for bandwidth, the moderator appears to have stopped the thread after
my first response so all of these have been between you and I anyway.

As for my professionalism being questioned, how about giving ACCURATE
answers to those people asking the questions.

ADMIT WHEN YOU ARE INCORRECT.  It's quite clear, as I am sure many
people would agree, that Diffie Helman is NOT a hash but a key exchange
and that it mereley utilizes a hash.


My own cut and paste from
http://www.ietf.org/rfc/rfc2409.txt?number=2409:

ISAKMP ([MSST98]) provides a framework for authentication and key
   exchange but does not define them.  ISAKMP is designed to be key
   exchange independant; that is, it is designed to support many
   different key exchanges.

While Oakley defines "modes", ISAKMP defines "phases".  The
   relationship between the two is very straightforward and IKE presents
   different exchanges as modes which operate in one of two phases.




Christopher Gripp 
Systems Engineer 
Axcelerant

"Never tell people how to do things. Tell them what to do and they will
surprise you with their ingenuity."

-General George S. Patton

  

-----Original Message-----
From: Loki [mailto:loki at fatelabs.com]
Sent: Friday, November 16, 2001 1:18 PM
To: Christopher Gripp; vpn at securityfocus.com
Subject: Re: [vpn] VPN - encryption 



BTW:
Diffie Helman is USED in Key Exchange, but IS a hashing algorithm.. Just
like 
MD5 can be USED in Key Exchange, but is a hashing algorithm, and not a
method 
of key exchange.. That's what IKE is for.. MD5/DH are used IN IKE

End of thread

-----Original Message-----
From: Loki [mailto:loki at fatelabs.com]
Sent: Friday, November 16, 2001 1:10 PM
To: Christopher Gripp; vpn at securityfocus.com
Subject: Re: [vpn] VPN - encryption


I never said it wasn't a Key exchange.. "Diffie-Helman Key Exchange",
nor did 
I say they are one in the same << "using the Diffie-Helman Key Exchange 
algorithm".. I think in order to avoid more wasted bandwidth we can just
sum 
this up to a difference of definition for terms. You say pot-ay-toe I
say 
pa-ta-toe, dig it? Cool. 

Whether you agree or not, I've been in to many discussions where it was 
referred to as the "diffie helman hashing algorithm" Im not here to
battle 
over here-say. Lets keep this forum strictly to helping people out with 
questions and answers only, not a battle over "who knows more"

BTW: You might want to bump down that tone and keep your emails strictly

professional, I've read the Diffie-Helman, Isakamp, and IPSec RFC more
times 
than I can count.

Loki
www.fatelabs.com



On Friday 16 November 2001 03:56 pm, Christopher Gripp wrote:
> Hmm..  Can you name those sources that call it a HASH?  How about
> starting at the root with the RFC.  It's # 2631 [
> http://www.ietf.org/rfc/rfc2631.txt?number=2631 ] just in case you
> haven't read it yet.  Hash functions and Key Exchanges algorithms are
2
> different animals.  I don't see how ANYONE could confuse the 2.
>
>
>
>
> Christopher Gripp
> Systems Engineer
> Axcelerant
>
> "Never tell people how to do things. Tell them what to do and they
will
> surprise you with their ingenuity."
>
> -General George S. Patton
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Loki [mailto:loki at fatelabs.com]
> Sent: Friday, November 16, 2001 12:57 PM
> To: Christopher Gripp; vpn at securityfocus.com
> Subject: Re: [vpn] VPN - encryption
>
> :D Thanks, my cut and paste abilities are well seasoned :) Fjear
>
> "emulate 3
> button mouse in XWindows" :)
>
> As for the additional word of "hashing" being used.. I think its safe
to
> say
> that definitions are all relative to individual people. In many
> discussions
> and also books, I've seen it referred to as "hashing with Diffie
Helman"
> or
> the "Diffie-Helman Hash" Kind of interesting..
>
> Loki
> www.fatelabs.com
>
> On Friday 16 November 2001 03:46 pm, Christopher Gripp wrote:
> > I agree a VPN across the Internet without encryption is seriously
> > flawed.
> >
> > I agree  Diffie-Helman is an algorithm.  Just not a HASHING
algorithm.
> > As for the the explanation of how it works, not needed, but I
>
> appreciate
>
> > your ability to cut and paste.
> >
> >
> >
> >
> > Christopher Gripp
> > Systems Engineer
> > Axcelerant
> >
> > "Never tell people how to do things. Tell them what to do and they
>
> will
>
> > surprise you with their ingenuity."
> >
> > -General George S. Patton
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Loki [mailto:loki at fatelabs.com]
> > Sent: Friday, November 16, 2001 12:50 PM
> > To: Christopher Gripp; vpn at securityfocus.com
> > Subject: Re: [vpn] VPN - encryption
> >
> >
> > Please accept this as constructive criticism rather than trying to
>
> start
>
> > a
> > thread war over relative definitions of what a "vpn" is. But I do
not
> > understand why someone would deploy a VPN without ensuring
encryption
>
> of
>
> > the
> > data.
> >
> > Also, Diffie Helman is actually defined as an algorithm: I quote
Bruce
> > Schneir:
> >
> > "Diffie-Hellman is a fairly simple two-step key-exchange technique.
>
> Two
>
> > parties each generate a random value and apply the first step in the
> > Diffie-Hellman ___algorithm___. They exchange the results of these
> > calculations and apply the second step calculation. This results in
>
> each
>
> > side
> > creating the same final value in a secure manner. The public values
>
> are
>
> > g,
> > the generator, and n, a prime value. The final result created by
both
> > parties
> > is often referred to as Z. If you read the appendices in the WTLS
>
> specs
>
> > you
> > will find two entries with a predefined g and n for the WTLS
> > Diffie-Hellman
> > __algorithm___ implementations.
> > From "Applied Cryptography" by Bruce Scheiner:
> >
> > The math is simple. First, Alice and Bob agree on a large prime, n
and
> > g,
> > such that g is primitive mod n. These two integers don't have to be
> > secret;
> > Alice and Bob can agree to them over some insecure channel. They can
> > even be
> > common among a group of users. It doesn't matter.
> >
> > Then, the protocol goes as follows:
> >
> > (1) Alice chooses a random large integer x and sends Bob
> >
> > X=(g**x) mod n
> >
> > (2) Bob chooses a random large integer y and sends Alice
> >
> > Y=(g**y) mod n
> >
> > (3) Alice computes
> >
> > Z=(Y**x) mod n
> >
> > (4) Bob computes
> >
> > Z'=(X**y) mod n
> >
> > On Friday 16 November 2001 03:36 pm, Christopher Gripp wrote:
> > > Just a minor correction so as not to misinform anyone.  Diffie
>
> Helman
>
> > is
> >
> > > NOT a hashing algorithm.  Diffie-Hellman is a key agreement
>
> algorithm
>
> > > used by two parties to agree on a shared secret.
> > >
> > > MD5 and SHA1 are the 2 most common in use today.
> > >
> > > As for the statement that 'encryption is what makes a VPN'
Well...
>
> I
>
> > > and others disagree but, you can have your opinion.
> > >
> > >
> > >
> > >
> > > Christopher Gripp
> > > Systems Engineer
> > > Axcelerant
> > >
> > > "Never tell people how to do things. Tell them what to do and they
> >
> > will
> >
> > > surprise you with their ingenuity."
> > >
> > > -General George S. Patton
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Loki [mailto:loki at fatelabs.com]
> > > Sent: Friday, November 16, 2001 11:20 AM
> > > To: vpn at securityfocus.com
> > > Subject: Re: [vpn] VPN - encryption
> > >
> > >
> > >
> > > Ranj,
> > >
> > > Heh, uhm emphasis on "a bit about" ;) ... The two don't contradict
> >
> > each
> >
> > > other, rather, encryption is what makes a Virtual Private Network.
> >
> > Based
> >
> > > on
> > > the definition: "A Virtual Private Network extends a local area
> >
> > network
> >
> > > to a
> > > remote location or traveling user through an encrypted tunnel.
> >
> > Utilizing
> >
> > > different protocols like IKE, hashing algorithms such as
> >
> > Diffie-Helman,
> >
> > > and
> > > (3) Triple DES and/or single DES encryption , etc. you accomplish
>
> this
>
> > > task.  
> > > So you can't exactly have a VPN without encryption :) I hope this
> >
> > helps
> >
> > > to
> > > clarify VPNs for you. If not, there are several good whitepapers
at
> > > (marketing plug here) www.fatelabs.com and vpnc.org :)
> > >
> > > Loki
> > > www.fatelabs.com
> > >
> > > On Friday 16 November 2001 12:22 pm, Ranjbar Hassan wrote:
> > > > Hi
> > > > I've read a bit about VPN on different sites. My question is :
> > > > What is the relation between VPN and encryption? Is it possible
to
> > > > have VPN without encryption? is encryption with VPN optional or
a
> > > > must?
> > > >
> > > > Best regards,
> > > > Ranj
> > > >
> > > >
> > > > VPN is sponsored by SecurityFocus.com

-- 
==============================================
Loki
Founder, Chief Research Scientist
Fate Research Labs
United States VPN Division
----------------------------------------------------------------
[w] http://www.fatelabs.com
[e] loki at fatelabs.com
[p] 412-303-3115
==============================================

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list