From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: OpenVPN/IPsec - Sweet32: Birthday attacks Date: Mon, 29 Aug 2016 17:50:23 +0200 Message-ID: <4A108ED6-A3B6-464A-9952-07BD7226059E@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3424622910742017827==" List-Id: --===============3424622910742017827== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi all, i wanted to report a cross-site scripting vulnerability problem for OpenVPN a= nd possibly also IPSec via the "SWEET32: Birthday attacks on 64-bit block cip= hers which concerns the DES cipher incl. the 3DES variants but also the Blowf= ish cipher. The only way to fix it which i have currently recognized is to us= e other ciphers then those and another way for a faster implementation for Op= enVPN is to renegotiate new keys more often. An example can be to use '--rene= g-bytes 64000' in the configuration. So my question is should we delete those ciphers from the OpenVPN/IPsec ciphe= r lists and announce this problem to the community may via the Planet (have a= nnounced it already in the IPFire forum for OpenVPN) ? Some deeper insides causing this problem can be found in here: - https://sweet32.info/ - https://community.openvpn.net/openvpn/wiki/SWEET32 Greetings, Erik --===============3424622910742017827== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KQ29tbWVudDogR1BHVG9vbHMgLSBodHRwczov L2dwZ3Rvb2xzLm9yZwoKaVFJY0JBRUJDZ0FHQlFKWHhGbkZBQW9KRUlQaWh4WDVKOGpuR3lZUUFO amkraHVxaW5CdEJLaS9zdStIVTZxbwpLaWtqcDM0SkpPdGxPNFVEdWtlRUVFYzQ3MEVORkR0UGds WUVXL2ZuZ1V4bmltSzE1MkdOaDRuQTBtcmk1WEZzCldnZmY4Q0NDQUxWY05zQ3RiaWx2RllEQmpW SlZRbDNIUFIvaTBzKy9xTDRLOWR1ay9lRmVrc1NqTDllQXV0SHIKbWNvZC9FYWpPVmR6ZGVHOExV TDBUWCttS1dscHVFNU5oeFVOR2ErSXQyZy9lSjZ0SFBHQy8xOHlSYmI5bnNPNwoxNzVxMEdOZEFG Y3pzZ2hzRXRzMGhZTEFwSGlGbDBnZnVnam1mWnlweWh4QjhVOG1kZ09nb09sSnRJTlpCeXEvCkk3 VjJjVjlyRGk1QU5HQkoxVHIxMjNaNi84a1VVUHBQOEErbTNqYUFZZEhkZUkzME1TM2V4TkpyOXpz QlRQaUEKOXVvMWRtWGJ0TXFNbXMzR3hha1dBOVIyeHphM3cyVCtTU1dXZ3FiaGNveEc1ZFZCWmwr ZTZaalNSckM3blp2YgpzRjE0VUJrRGRRRzJNRlhCbEtKVkJhejBJb3hYSmlMVDZWVXVhTGdFUisr Vy94T2tnVG01Tk1rbDRXbWpUZk9LCk03dUsrYTdoTG1RTEUwMG9OVmozdy9XUVhJWkJURlNUZ0lJ Y0x0MjhnYlNud01Salh1dURsUmV2d3dlVWxjK2gKS3hiWkRKcWtkYjdXRE9PMjhoNEFHcSt2Q3Bk d1k2ZVFjazlENVNnb3Y4NlNodHcxOFlVQjNaakh5bEZSNnNRMwo2U0NMaE5aZ1VGNTBPR2xBRkYx TWtzT2tOS3ZLQmorZ2hUdTljMHhTbVIvMUNjM3NmUlFWQUdRSU1rdlhFZ3BnCm0wSUpSeTFBb1NM RTU3RnQ5aWc2Cj1sdUZJCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3424622910742017827==--