Hubert Kario <hka...@redhat.com> writes: >There Is No Such Thing As A Trusted Network
I didn't say "trusted network", I said "isolated, private network". The type where, if an attacker has got to the point where they have physical access to the area where the network is, they can do far more damage via any kind of non-network attack than they could by hauling in computing equipment and sitting there for hours or days trying to attack the crypto on a particular endpoint. In addition, the security doesn't have to be theoretically perfect, just good enough. An isolated network is frequently deemed secure enough, taking into account the resources being protected, cost to an attacker, likelihood of an attack via that channel, etc. It's typically much easier to control access to a network than to secure every single endpoint on that network, particularly when half of them are a zoo of ethernet-to-something-else converters (if you want to see a mess of interesting TLS, look at industrial RS422/485/Profibus/Modbus/Fieldbus/etc to ethernet converters and TCP gateways, some of those are examples I've used - anonymously - in previous messages). The best example of this, which I've mentioned in the past because it's nicely illustrative, was a ventilator control that used a 512-bit key for its TLS (16-bit device, and it took about 30s for the connection to be established, the key size was chosen because it was all the hardware could handle). This was perfectly adequate, to get access to it you'd need to break into the facility, get to a network port, grab the key from the device, break out again, go away and factor it, break in again, get to the network port, fire up your attack device, and then... you could switch a ventilator on or off. You could also do that by walking down the corridor and flipping a switch. In either case, you've now turned a ventilator in an occasionally-used stock room on or off. Even the 512-bit key was overkill. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
