[svlug] PPTP?

Jose Medeiros cobra at jps.net
Sun Jul 22 15:35:01 PDT 2001

Well written George.. :-)

Now lets move on ...

Jose :-)
----- Original Message -----
From: "George Bonser" <george at shorelink.com>
To: "Dan Martinez" <dfm at area.com>
Cc: <svlug at svlug.org>
Sent: Sunday, July 22, 2001 11:21 AM
Subject: Re: [svlug] PPTP?

> I am not claiminmg that PPTP is any good, I am just saying that sometimes
> you are forced to operate with it and no amount of complaining is going to
> make management change their stance. A decision has been reached where
> they think the security provided by PPTP as offered with the Microsoft VPN
> adapter is "good enough" in that it does not require them to add any
> software or train anyone.
> As for the 128-bit brute force ... if it is a government that is doing the
> brute forcing, probably, yes.  Also, dont fall into the "distributed
> net" model of thinking where you have standard computers running a program
> to "crack" a cipher. It is much more efficient to build hardware dedicated
> for that job. You can do things much faster in hardware.
> The EFF ( not exactly the deepest pocketed cracker ) built a piece of
> hardware that won RSA's DES Challange II in less than 3 days as opposed to
> 39 days by a network of tens of thousands of systems. I realize there is a
> LOT of difference between a 56 and a 128 bit key. The point being here
> that if someone is determined to get the data, they can build a piece of
> hardware to do it much more efficiently than having a standard computer do
> it.
> The other point is that even 40 bit security is enough to keep a single PC
> busy for a few years. The simple fact of the matter is that ANY encryption
> probably safeguards against idle perusal of your data by a single
> individual. It will not protect you against a concerted attack by a
> wealthy adversary that is going to devote considerable resources to the
> problem. No common data communications cipher is probably safe against a
> government or pool of governments with first rate communications intercept
> capabilities.
> On my long-haul VPN links I use a 128-bit key with blowfish. The key
> changes every 15 minutes. If you record the data and crack the key, you
> get to see 15 minutes worth before you have to start over again to get
> another 15 minutes worth. We DONT use PPTP for those. These are the links
> that interconnect the offices.
> For people simply working at home and need to get their email on the
> private network, PPTP is just fine.  It allows them access to the private
> RFC1918 network space that is not otherwise reachable over the internet.
> I think the answer to the original question is:
> Currently there are no other VPN alternatives that are as easy to set up
> for the Windows units as PPTP is. And most Linux PPTP stuff is rather
> poorly documented or does not seem to interoperate well.  That points out
> an area where someone could make a difference if they wanted to. If you
> make a really robust client/server that works perfectly with Windows
> clients/servers, even though it is a crappy protocol, you can get Linux
> into more places than it is today. No sense arguing about the protocol,
> PPTP is inferior but people are not particulary interested in the perfect
> protocol, they want to get their work done withoug having to learn what a
> packet is.
> On Sun, 22 Jul 2001, Dan Martinez wrote:
> > Uh... what? You're claiming that a properly-designed cipher with
> > 128-bit key length can be brute-forced in a reasonable amount of time?
> >
> > Dan
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug

More information about the svlug mailing list