From owner-freebsd-security Mon Sep 25 8:45: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from liam.london.sparza.com (liam.london.sparza.com [212.135.72.25]) by hub.freebsd.org (Postfix) with ESMTP id 9F31B37B42C; Mon, 25 Sep 2000 08:44:57 -0700 (PDT) Received: from hagop.london.sparza.com ([212.135.72.28]) by liam.london.sparza.com with esmtp (Exim 3.14 #3) id 13daRI-0003Sb-00; Mon, 25 Sep 2000 16:45:08 +0100 Received: from localhost (scot@localhost) by hagop.london.sparza.com (8.9.3/8.9.3) with ESMTP id QAA08505; Mon, 25 Sep 2000 16:44:53 +0100 (BST) (envelope-from scot@london.sparza.com) Date: Mon, 25 Sep 2000 16:44:53 +0100 (BST) From: Scot Elliott To: "Brian F. Feldman" Cc: CrazZzy Slash , Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma>, freebsd-security@FreeBSD.org, Peter Pentchev Subject: Re: Encryption over IP In-Reply-To: <200009251541.e8PFfM549719@green.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not sure that's the point. If you're using SSH to tunnel between two networks, across the public Internet then there is a chance of your encrypted datastream being intercepted and analysed. If there's a large amount of data then the chance of the key being found and therefore your unencrypted data exposed - is much higher. Scot On Mon, 25 Sep 2000, Brian F. Feldman wrote: > > As a friend pointed out to me recently, long term SSH connections that > > move a lot of data are probably not very secure, as the SSH protocol does > > not re-generate it's encryption keys unlike something like IPSec... > > So, weigh that into your decision of whether SSH is appropriate or not; are > people on the inside going to be actively attempting a chosen-plaintext or > known-plaintext attack? A long term SSH connection which only you have > control over should really not have any need for rekeying; the stream should > not be able to be known by anyone else in its unencrypted form nor should it > be able to be modified at will before transport. > > For using SSH as an anonymous tunnel in hostile environments, I'd definitely > want to know it was rekeying at a decent interval. > > -- > Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / > green@FreeBSD.org `------------------------------' > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message