MI5 hate encryption so much, they don't use it!]
Ben Laurie
ben at algroup.co.uk
Wed, 03 Jul 2002 18:48:09 +0100
Quentin Campbell wrote:
>>-----Original Message-----
>>From: Nexus [mailto:nexus@patrol.i-way.co.uk]
>>Sent: 03 July 2002 13:49
>>To: ukcrypto@chiark.greenend.org.uk
>>Subject: Re: MI5 hate encryption so much, they don't use it!]
>>
>>
>>Well they won't be able to use MAIL FROM: for much longer,
>>viz http://www.ripe.net/db/MD5-HOWTO.html
>>I also note that RIPE themselves warn of the dangers of using
>>either MD5-PW or CRYPT-PW at
>>http://www.ripe.net/ripencc/pub-services/db/security.html
>>
>
> [snip]
>
> The latter URL gives some odd and contradictory advice on
> authentication, suggesting using PGP but leaving a "backdoor" that uses
> a weaker mechanism.
>
> After pointing out that CRYPT-PW is less secure than MD5-PW, which is
> itself also open to password cracking or e-mail snooping, it says "If,
> for whatever reason, a user does not feel comfortable with only PGPKEY
> [authentication] and prefers to leave a "backdoor", please use CRYPT-PW
> as an addition[al authentication method], choosing a good password, but
> use PGPKEY for daily operations."
>
> When the experts at RIPE are offering that sort of advice perhaps Ben
> was being a little hard on MI5. :-)
Heh. Well, if they changed to MD5-PW this would be better advice - the
main vulnerability being email snooping, which is fine if you don't use
it :-)
Note that MI5 are not following this advice - I did quote _all_ the auth
methods.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff