IMHO, this is a rathole. While the science behind the implementation of ecryption algorithms, in general, may be less than perfect. The engineering behind the implementation is "good enough", for various flavors of data usability persistance. Encryption only has to protect its data for that time when the release of that data may be detrimental. The absolute best encryption methods only slow down the cracker. But, that's all it has to do. At the moment, DES is crackable in about 12 hours (see: distributed.net and eff.org). Evenso, it is sufficient to protect data which only has a useful transient half-life of 3-6 hours, such as one-time pass codes. It is certainly more secure than plain-text. Sessions using passwds, that are changed weekly, or even monthly, are certainly well protected by SSH1. Likewise, most session management packets, scripts, and configuration commands, are not useful data beyond a few weeks. The Data gets stale. OTOH, CC numbers are good for years (until the expiration date) and must be better protected. But its shelf-life is still finite. ie: I don't care if anyone knows the password that I used last Monday, because I've changed it three times since then. Likewise, if someone can crack my cyper-text 200 years from now, I will most likely be beyond careing, at that time<grin>.
From: Deepak Jain [mailto:deepak@ai.net] Sent: Saturday, April 29, 2000 1:16 PM
This statement is a litle too broad. I would contest that the design of, say, FreeBSD's /dev/random permits sufficient entropy collection to usefully initialise a strong hashing algorithm with a non-predictable vector.
Okay, you know where I was going. Simple question - where are you finding entropy in a FreeBSD machine? (sufficient being a very relative term)
Not intending to scare anyone.