FW: [vpn] VPN - encryption
Christopher Gripp
cgripp at axcelerant.com
Fri Nov 16 23:37:33 EST 2001
-----Original Message-----
From: Loki [mailto:loki at fatelabs.com]
Sent: Friday, November 16, 2001 1:52 PM
To: Christopher Gripp
Subject: Re: [vpn] VPN - encryption
I guess every T has to be crossed when talking to newbies but I knew
what I
meant :/ erm..
so they should.. heh
On Friday 16 November 2001 04:44 pm, you wrote:
> I wasn't tripping. Just trying to keep things accurate. I know how
> confused some of these people can get when first learning about VPN's.
>
>
> Chris
>
> -----Original Message-----
> From: Loki [mailto:loki at fatelabs.com]
> Sent: Friday, November 16, 2001 1:39 PM
> To: Christopher Gripp
> Subject: Re: [vpn] VPN - encryption
>
>
> ok dood calm down man.. I just reviewed that and saw. ok, well I
> shouldnt be
> plopping the word "hash" into the statement.. Its a simple
> reinterpretation
> of what others have said.. Dont trip out.. Jesus..
>
> On Friday 16 November 2001 04:24 pm, you wrote:
> > This is symantecs. You say you 'never said it wasn't a key
exchange',
> > but you DID say it WAS a hashing algorithm. It can't be both.
> > Diffie-Helman implements SHA-1 as it's message digest function
(HASH)
>
> to
>
> > generate an arbitrary amount of keying material.
> >
> > Why don't you define what a hashing algorithm is for me. Maybe that
> > will clear it up.
> >
> > As for bandwidth, the moderator appears to have stopped the thread
>
> after
>
> > my first response so all of these have been between you and I
anyway.
> >
> > As for my professionalism being questioned, how about giving
ACCURATE
> > answers to those people asking the questions.
> >
> > ADMIT WHEN YOU ARE INCORRECT. It's quite clear, as I am sure many
> > people would agree, that Diffie Helman is NOT a hash but a key
>
> exchange
>
> > and that it mereley utilizes a hash.
> >
> >
> > My own cut and paste from
> > http://www.ietf.org/rfc/rfc2409.txt?number=2409:
> >
> > ISAKMP ([MSST98]) provides a framework for authentication and key
> > exchange but does not define them. ISAKMP is designed to be key
> > exchange independant; that is, it is designed to support many
> > different key exchanges.
> >
> > While Oakley defines "modes", ISAKMP defines "phases". The
> > relationship between the two is very straightforward and IKE
>
> presents
>
> > different exchanges as modes which operate in one of two phases.
> >
> >
> >
> >
> > Christopher Gripp
> > Systems Engineer
> > Axcelerant
> >
> > "Never tell people how to do things. Tell them what to do and they
>
> will
>
> > surprise you with their ingenuity."
> >
> > -General George S. Patton
> >
> >
> >
> > -----Original Message-----
> > From: Loki [mailto:loki at fatelabs.com]
> > Sent: Friday, November 16, 2001 1:18 PM
> > To: Christopher Gripp; vpn at securityfocus.com
> > Subject: Re: [vpn] VPN - encryption
> >
> >
> >
> > BTW:
> > Diffie Helman is USED in Key Exchange, but IS a hashing algorithm..
>
> Just
>
> > like
> > MD5 can be USED in Key Exchange, but is a hashing algorithm, and not
a
> > method
> > of key exchange.. That's what IKE is for.. MD5/DH are used IN IKE
> >
> > End of thread
> >
> > -----Original Message-----
> > From: Loki [mailto:loki at fatelabs.com]
> > Sent: Friday, November 16, 2001 1:10 PM
> > To: Christopher Gripp; vpn at securityfocus.com
> > Subject: Re: [vpn] VPN - encryption
> >
> >
> > I never said it wasn't a Key exchange.. "Diffie-Helman Key
Exchange",
> > nor did
> > I say they are one in the same << "using the Diffie-Helman Key
>
> Exchange
>
> > algorithm".. I think in order to avoid more wasted bandwidth we can
>
> just
>
> > sum
> > this up to a difference of definition for terms. You say pot-ay-toe
I
> > say
> > pa-ta-toe, dig it? Cool.
> >
> > Whether you agree or not, I've been in to many discussions where it
>
> was
>
> > referred to as the "diffie helman hashing algorithm" Im not here to
> > battle
> > over here-say. Lets keep this forum strictly to helping people out
>
> with
>
> > questions and answers only, not a battle over "who knows more"
> >
> > BTW: You might want to bump down that tone and keep your emails
>
> strictly
>
> > professional, I've read the Diffie-Helman, Isakamp, and IPSec RFC
more
> > times
> > than I can count.
> >
> > Loki
> > www.fatelabs.com
> >
> > On Friday 16 November 2001 03:56 pm, Christopher Gripp wrote:
> > > Hmm.. Can you name those sources that call it a HASH? How about
> > > starting at the root with the RFC. It's # 2631 [
> > > http://www.ietf.org/rfc/rfc2631.txt?number=2631 ] just in case you
> > > haven't read it yet. Hash functions and Key Exchanges algorithms
>
> are
>
> > 2
> >
> > > different animals. I don't see how ANYONE could confuse the 2.
> > >
> > >
> > >
> > >
> > > Christopher Gripp
> > > Systems Engineer
> > > Axcelerant
> > >
> > > "Never tell people how to do things. Tell them what to do and they
> >
> > will
> >
> > > surprise you with their ingenuity."
> > >
> > > -General George S. Patton
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Loki [mailto:loki at fatelabs.com]
> > > Sent: Friday, November 16, 2001 12:57 PM
> > > To: Christopher Gripp; vpn at securityfocus.com
> > > Subject: Re: [vpn] VPN - encryption
> > >
> > > :D Thanks, my cut and paste abilities are well seasoned :) Fjear
> > >
> > > "emulate 3
> > > button mouse in XWindows" :)
> > >
> > > As for the additional word of "hashing" being used.. I think its
>
> safe
>
> > to
> >
> > > say
> > > that definitions are all relative to individual people. In many
> > > discussions
> > > and also books, I've seen it referred to as "hashing with Diffie
> >
> > Helman"
> >
> > > or
> > > the "Diffie-Helman Hash" Kind of interesting..
> > >
> > > Loki
> > > www.fatelabs.com
> > >
> > > On Friday 16 November 2001 03:46 pm, Christopher Gripp wrote:
> > > > I agree a VPN across the Internet without encryption is
seriously
> > > > flawed.
> > > >
> > > > I agree Diffie-Helman is an algorithm. Just not a HASHING
> >
> > algorithm.
> >
> > > > As for the the explanation of how it works, not needed, but I
> > >
> > > appreciate
> > >
> > > > your ability to cut and paste.
> > > >
> > > >
> > > >
> > > >
> > > > Christopher Gripp
> > > > Systems Engineer
> > > > Axcelerant
> > > >
> > > > "Never tell people how to do things. Tell them what to do and
they
> > >
> > > will
> > >
> > > > surprise you with their ingenuity."
> > > >
> > > > -General George S. Patton
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Loki [mailto:loki at fatelabs.com]
> > > > Sent: Friday, November 16, 2001 12:50 PM
> > > > To: Christopher Gripp; vpn at securityfocus.com
> > > > Subject: Re: [vpn] VPN - encryption
> > > >
> > > >
> > > > Please accept this as constructive criticism rather than trying
to
> > >
> > > start
> > >
> > > > a
> > > > thread war over relative definitions of what a "vpn" is. But I
do
> >
> > not
> >
> > > > understand why someone would deploy a VPN without ensuring
> >
> > encryption
> >
> > > of
> > >
> > > > the
> > > > data.
> > > >
> > > > Also, Diffie Helman is actually defined as an algorithm: I quote
> >
> > Bruce
> >
> > > > Schneir:
> > > >
> > > > "Diffie-Hellman is a fairly simple two-step key-exchange
>
> technique.
>
> > > Two
> > >
> > > > parties each generate a random value and apply the first step in
>
> the
>
> > > > Diffie-Hellman ___algorithm___. They exchange the results of
these
> > > > calculations and apply the second step calculation. This results
>
> in
>
> > > each
> > >
> > > > side
> > > > creating the same final value in a secure manner. The public
>
> values
>
> > > are
> > >
> > > > g,
> > > > the generator, and n, a prime value. The final result created by
> >
> > both
> >
> > > > parties
> > > > is often referred to as Z. If you read the appendices in the
WTLS
> > >
> > > specs
> > >
> > > > you
> > > > will find two entries with a predefined g and n for the WTLS
> > > > Diffie-Hellman
> > > > __algorithm___ implementations.
> > > > From "Applied Cryptography" by Bruce Scheiner:
> > > >
> > > > The math is simple. First, Alice and Bob agree on a large prime,
n
> >
> > and
> >
> > > > g,
> > > > such that g is primitive mod n. These two integers don't have to
>
> be
>
> > > > secret;
> > > > Alice and Bob can agree to them over some insecure channel. They
>
> can
>
> > > > even be
> > > > common among a group of users. It doesn't matter.
> > > >
> > > > Then, the protocol goes as follows:
> > > >
> > > > (1) Alice chooses a random large integer x and sends Bob
> > > >
> > > > X=(g**x) mod n
> > > >
> > > > (2) Bob chooses a random large integer y and sends Alice
> > > >
> > > > Y=(g**y) mod n
> > > >
> > > > (3) Alice computes
> > > >
> > > > Z=(Y**x) mod n
> > > >
> > > > (4) Bob computes
> > > >
> > > > Z'=(X**y) mod n
> > > >
> > > > On Friday 16 November 2001 03:36 pm, Christopher Gripp wrote:
> > > > > Just a minor correction so as not to misinform anyone. Diffie
> > >
> > > Helman
> > >
> > > > is
> > > >
> > > > > NOT a hashing algorithm. Diffie-Hellman is a key agreement
> > >
> > > algorithm
> > >
> > > > > used by two parties to agree on a shared secret.
> > > > >
> > > > > MD5 and SHA1 are the 2 most common in use today.
> > > > >
> > > > > As for the statement that 'encryption is what makes a VPN'
> >
> > Well...
> >
> > > I
> > >
> > > > > and others disagree but, you can have your opinion.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Christopher Gripp
> > > > > Systems Engineer
> > > > > Axcelerant
> > > > >
> > > > > "Never tell people how to do things. Tell them what to do and
>
> they
>
> > > > will
> > > >
> > > > > surprise you with their ingenuity."
> > > > >
> > > > > -General George S. Patton
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Loki [mailto:loki at fatelabs.com]
> > > > > Sent: Friday, November 16, 2001 11:20 AM
> > > > > To: vpn at securityfocus.com
> > > > > Subject: Re: [vpn] VPN - encryption
> > > > >
> > > > >
> > > > >
> > > > > Ranj,
> > > > >
> > > > > Heh, uhm emphasis on "a bit about" ;) ... The two don't
>
> contradict
>
> > > > each
> > > >
> > > > > other, rather, encryption is what makes a Virtual Private
>
> Network.
>
> > > > Based
> > > >
> > > > > on
> > > > > the definition: "A Virtual Private Network extends a local
area
> > > >
> > > > network
> > > >
> > > > > to a
> > > > > remote location or traveling user through an encrypted tunnel.
> > > >
> > > > Utilizing
> > > >
> > > > > different protocols like IKE, hashing algorithms such as
> > > >
> > > > Diffie-Helman,
> > > >
> > > > > and
> > > > > (3) Triple DES and/or single DES encryption , etc. you
>
> accomplish
>
> > > this
> > >
> > > > > task.
> > > > > So you can't exactly have a VPN without encryption :) I hope
>
> this
>
> > > > helps
> > > >
> > > > > to
> > > > > clarify VPNs for you. If not, there are several good
whitepapers
> >
> > at
> >
> > > > > (marketing plug here) www.fatelabs.com and vpnc.org :)
> > > > >
> > > > > Loki
> > > > > www.fatelabs.com
> > > > >
> > > > > On Friday 16 November 2001 12:22 pm, Ranjbar Hassan wrote:
> > > > > > Hi
> > > > > > I've read a bit about VPN on different sites. My question is
:
> > > > > > What is the relation between VPN and encryption? Is it
>
> possible
>
> > to
> >
> > > > > > have VPN without encryption? is encryption with VPN optional
>
> or
>
> > a
> >
> > > > > > must?
> > > > > >
> > > > > > Best regards,
> > > > > > Ranj
> > > > > >
> > > > > >
> > > > > > VPN is sponsored by SecurityFocus.com
--
==============================================
Loki
Founder, Chief Research Scientist
Fate Research Labs
United States VPN Division
----------------------------------------------------------------
[w] http://www.fatelabs.com
[e] loki at fatelabs.com
[p] 412-303-3115
==============================================
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list