[Ach] SWEET32/CVE-2016-2183
Akendo
akendo at akendo.eu
Wed Aug 24 21:19:07 CEST 2016
The openvpn configuration includes a keepalive parameter with following
values: 10 120
you think this is sufficient? Whereby I'm uncertain about the function
in OpenVPN in regards to your statement.
best regards
Akendo
On 08/24/2016 08:43 PM, Hanno Böck wrote:
> On Wed, 24 Aug 2016 19:24:22 +0200
> Akendo <akendo at akendo.eu> wrote:
>
>> As far I see this, when following the recommendation for server like
>> nginx or OpenVPN 3DES is disabled and it should not be an issue,
>> correct?
>
> There's probably not a whole lot for the bettercrypto guide, yet this
> has some interesting aspects.
>
> One that I think hasn't come up a lot before is limiting keepalive
> connections. We actually thought about that during writing the GCM
> nonce paper as well. Crypto attacks that require a lot of data to be
> encrypted *with the same key* can be effectively mitigated with a
> practically irrelevant performance hit if you limit requests over one
> connection to - let's say - 100 (like apache does).
>
> What might also be interesting is looking into more unusual protocols
> that might still use blowfish or 3des. It was used in SSH, but lately
> OpenSSH has aggressively deprecated everything old. These ciphers were
> more or less considered secure. While the block collission issue is not
> really new, it may not have been known so widely.
>
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
More information about the Ach
mailing list