Monday, June 4, 2007

Fun with defaults

Last week a coworker called me in for some help with an IPsec tunnel to Jamaica. Our side is Openswan, theirs is Checkpoint.

The tunnels were coming up as far as Openswan was concerned, but Checkpoint was rejecting the traffic. Fortunately the guys in Jamaica knew their stuff better than me and were able to point us in the right direction: Checkpoint was configured to use 3DES-MD5, but Openswan had brought up a tunnel with 3DES-SHA1. We told Openswan to use 3DES-MD5 on this tunnel, and the problem went away.

This raises a few points.

  1. How did two IKE-compliant products manage to negotiate incompatible tunnels? Well, whatever. Stuff happens.


  2. Checkpoint's logging must be pretty good. It told the operators exactly what we needed to know: Openswan was using an unexpected hash method.


  3. Most importantly, it's 2007 and there are still people using 3DES and MD5 for tunnels.

In software, AES-256 is at least three times as fast as 3DES. (Run "openssl speed des-ede3 aes-256-cbc".) The effective key length of 3DES is 112 bits, so AES-256 is three times as fast and one billionty times harder to break. Not much of a tradeoff there. If your security gateway is doing 3DES in hardware and is too old to handle AES in hardware, you might as well switch to software -- if you had enough traffic to justify hardware encryption, you'd probably have enough money to buy new hardware.

So 3DES is getting old, but it's still awfully hard to break. Not MD5. MD5 is just dangerous. It's trubs. Even SHA1 is starting to look scared.

I think it's pretty silly that IPsec implementations are still defaulting to 3DES and MD5.

No comments: