|
Posted by Unruh on November 5, 2006, 11:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> How in th eworld is that a drawback? Under what rational criteria is that a
>> drawback?
>hmm, all i said that compusec was a excellent product but it only
>offers 128bit AES. Most of the government agencies, and especially if
>you work for financial institution, require you to use 256 AES.
I guess I did say rational criteria. There si no rational reason to prefer
256 over 128.
>> And now you tell me that a third party also has your key as well? Sheesh.
>hmm. what do you mean by third party?
>For the Challenge/Response password recovery to work, the IT Help Desk
>needs to know a secret. If that secret is leaked (e.g. posted on a
>website) yes then a attacker *might* be login into the system. The
>attacker would still need another secret, the user's logon name, which
>may or may not be easy to guess in 3 trys.
The help desk is the third person. Anyone else who knows the password is
the third person. That introduces a huge security hole, far far larger than
any AES128/256 distinction. It reduces the security to something like the
unix crypt funtion-- seeems secure but is easily broken. In this case not
broken, but susceptible to other far more efficient lines of attack than
direct attack on the cypher.
>As I said earlier, you can turn off the challence/response password
>recovery if you want. But it is good to have in case the employee
>leaves the company without giving up the passwords. This may not be
>applicable in all situations.
I understand why you would want it. It is also a huge security hole. That
is where I would spend my security concerns, not whether it uses 128, 256
or whatever size AES.
>BTW, the site that was hosting the analysis was down for a short period
>of time. It is back online the URL is still the same:
>http://www.xml-dev.com/blog/index.php?action=viewtopic&id=250
>saqib
>http://www.full-disk-encryption.net
All I am saying is that the number of bits should not be factor in your
decision, unless there is some insane political reason to take it into
account. It is the least of your worries.
You also have to decide what it is you are using the encryption to protect
yourself from. If it is from the local druggie, or if it is fromNSA those
are very different situations.
The other thing you shoud chech is write speeds. If they use a stream
cypher, they have to rekey every single time you write. And they have to
reencrypt the whole block. If the block is file sized, they have to rewrite
the whole file, not just the section of the file that changed.
They also have to have a subkey management fascility.
| 
XML site map