From owner-freebsd-security  Mon Sep 25  9:46:15 2000
Delivered-To: freebsd-security@freebsd.org
Received: from green.dyndns.org (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3640437B42C; Mon, 25 Sep 2000 09:46:11 -0700 (PDT)
Received: from localhost (yqhu8k@localhost [127.0.0.1] (may be forged))
	by green.dyndns.org (8.11.0/8.11.0) with ESMTP id e8PGim554314;
	Mon, 25 Sep 2000 12:44:50 -0400 (EDT)
	(envelope-from green@FreeBSD.org)
Message-Id: <200009251644.e8PGim554314@green.dyndns.org>
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
To: Scot Elliott <scot@london.sparza.com>
Cc: "Brian F. Feldman" <green@FreeBSD.org>,
	CrazZzy Slash <slash@krsu.edu.kg>,
	Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma>,
	freebsd-security@FreeBSD.org, Peter Pentchev <roam@orbitel.bg>
Subject: Re: Encryption over IP 
In-Reply-To: Message from Scot Elliott <scot@london.sparza.com> 
   of "Mon, 25 Sep 2000 16:44:53 BST." <Pine.GSO.4.21.0009251642550.7013-100000@hagop.london.sparza.com> 
From: "Brian F. Feldman" <green@FreeBSD.org>
Date: Mon, 25 Sep 2000 12:44:47 -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> I'm not sure that's the point.
> 
> If you're using SSH to tunnel between two networks, across the public
> Internet then there is a chance of your encrypted datastream being
> intercepted and analysed.  If there's a large amount of data then the
> chance of the key being found and therefore your unencrypted data exposed
> - is much higher.

You still have to know at least some chunks of the plaintext to do that.  
You simply _cannot_ brute force any moderately decent algorithm with 
reasonable key length.  For example, Blowfish (commonly) uses a 160 bit key.
To do 2^160 operations of anything in a reasonable amount of time would be 
astounding, much less 2^160 different blowfish encryptions (note that it 
takes about 26 operations to encrypt one byte of data; that does not take 
into account the very low key agility which is much more significant for 
being able to brute-force it).

There aren't any chosen-plaintext or known-plaintext attacks against it; if 
there were, you would still have to push that much data through the tunnel; 
even chosen-plaintext attacks against a non-trivial algorithm require a huge 
amount of data to be encrypted.  In other words, don't worry about it.

--
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message