[olug] TINC

Sam Flint harmonicnm7h at gmail.com
Thu Nov 15 00:07:41 UTC 2012


Tinc does now use RSA keys.


On Wed, Nov 14, 2012 at 2:16 PM, Rob Townley <rob.townley at gmail.com> wrote:

> IPsec Pre Shared Key for enterprise wireless is worse than PPTP according
> to https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/  .
> Make sure IPsec is used with certificates instead.
>
> tinc is an educational project sponsored by a university aiming to grow
> awareness of encryption over the public internet.  It does not have a
> marketing department.  Criticism is welcome.    Think of Schneier *"Secrecy
> and security aren't the same, even though it may seem that way. Only bad
> security relies on secrecy; good security works even if all the details of
> it are public."* <
> https://en.wikipedia.org/wiki/Bruce_Schneier#cite_note-20>
> tinc like much security software can have   'Encryption = 'none', a setup
> with no security at all to have a gaming extranet or just plain EOIP.
> For mainstream use, security software needs to be secure even when Grandma
> installs it.  Hamachi does that but is not as flexible as tinc.
>
> Peter Gutman tore apart many different VPNs in his assessment, but still
> ranked tinc the best of those in his comparison.   The only real criticism
> he had was that it still used Defense Encryption Standard DES keys just
> like a Win2003 based ActiveDirectory would use and MSCHAPv2 for WPA2 uses
> till this day.   We are not talking triple DES, just plain DES.  However
> tinc didn't use MSCHAP, it uses RSA to establish the session keys.  tinc
> also used one of the other AES contenders  BlowFish  since 2000.  BlowFish
> has not been broken.   It was not till Win2003R2 that MS upgraded to a
> little better arc4 keys.  The fact is there are many MS ActiveDirectory
> domains out there that still use DES to this day.  Why? Not only because of
> MSCHAPv2 for WPA2 but much more worrisome because even if all your ADS
> servers are Win2008R2, they can still run in Win2000 ADS compatibility mode
> which would mean DES keys.   DES was broken in the 90's and now the
> CloudCracker can break open DES traffic in 24hours.
>
> i have learned much more by using this open source project than other VPNs
> - open source or not.
>
>
>
> On Tue, Nov 13, 2012 at 6:04 PM, Christopher Cashell <topher-olug at zyp.org
> >wrote:
>
> > On Tue, Nov 13, 2012 at 5:04 PM, Sam Flint <harmonicnm7h at gmail.com>
> wrote:
> > > Does anyone have experience with tinc vpn?
> >
> > It was not looked on particularly favorably in a comparison some years
> > ago by well known cryptographer Peter Gutmann:
> > http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
> >
> > Admittedly, that review was from 2003.  However, one of the things
> > that post discusses in length, and does a great job of illustrating,
> > is that security software like VPNs are difficult to get right, and
> > very easy to get wrong.
> >
> > OpenVPN seems to have emerged as the closest thing to a de facto
> > standard for non-IPsec.  Personally, I would stick with either IPsec
> > or OpenVPN for any VPN needs unless I had a *really* good reason to
> > use something else.
> >
> > Personal experience with IPsec and OpenVPN would leave me leaning
> > towards OpenVPN for everything that didn't require compatibility with
> > non-OpenVPN connections (appliances, routers/firewalls, other
> > third-party situations), in which case I'd use IPsec.
> >
> > > --
> > > Sam Flint
> >
> > --
> > Christopher
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> >
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 
Sam Flint
flintfam.org/~swflint



More information about the OLUG mailing list