June 27, 2011 at 12:27 pm
Sweet, thanks, found a new toy 🙂
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
June 27, 2011 at 3:36 pm
opc.three (6/27/2011)
Elliott Whitlow (6/27/2011)
Agreed. It was not specifically for the benefit OP, but for me 😀 I would not implement the component as an Enterprise solution unless it could do Idea. If it could not, then I would stick with my current solution, gpg.
Depends on the enterprise; if you're under FIPS 140-2 requirements (health care, government), you should be avoiding IDEA like the plague; force others to upgrade or use another method. In this use case, with GPG in specific, and almost certainly with other solutions, you'll also have to hand-edit your own public key's list of ciphers and hashes, as well as your configuration's list of allowed/disallowed ciphers and hashes.
Personally, I'd avoid IDEA like the plague anyway; most cases of that being the preferred cipher are from decade old PGP versions that need to be upgraded ($$$) or replaced with GPG anyway. If you can at least go down to Triple-DES, you should be all right with the cipher suite most even quite old keys support.
June 27, 2011 at 3:41 pm
Nadrek (6/27/2011)
opc.three (6/27/2011)
Elliott Whitlow (6/27/2011)
Agreed. It was not specifically for the benefit OP, but for me 😀 I would not implement the component as an Enterprise solution unless it could do Idea. If it could not, then I would stick with my current solution, gpg.Depends on the enterprise; if you're under FIPS 140-2 requirements (health care, government), you should be avoiding IDEA like the plague; force others to upgrade or use another method. In this use case, with GPG in specific, and almost certainly with other solutions, you'll also have to hand-edit your own public key's list of ciphers and hashes, as well as your configuration's list of allowed/disallowed ciphers and hashes.
Personally, I'd avoid IDEA like the plague anyway; most cases of that being the preferred cipher are from decade old PGP versions that need to be upgraded ($$$) or replaced with GPG anyway. If you can at least go down to Triple-DES, you should be all right with the cipher suite most even quite old keys support.
No question to anything you said...but when you have to support Idea because a business partner asks you to then guess what, sometimes you will support Idea. That goes for pretty much any technology. "Upgrade your system" and "Change the algorithm you use" can be a partnership-limiting move in some cases.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
June 27, 2011 at 3:47 pm
opc.three (6/27/2011)
No question to anything you said...but when you have to support Idea because a business partner asks you to then guess what, sometimes you will support Idea. That goes for pretty much any technology. "Upgrade your system" and "Change the algorithm you use" can be a partnership-limiting move in some cases.
Not if you're under a serious legal and regulatory requirement to comply with FIPS 140-2 or other national laws and regulations; unless your upper management wants to deliberately sign off in writing on "No, let's not follow that law/comply with that regulation."
If your upper management does want to avoid complying with laws and regulations, and is willing to push it to avoid asking a business partner to upgrade ancient software to a new, compliant solution, dust off your resume... and, in certain industries, put a lawyer on retainer for yourself, personally. Some laws include provisions for charging individual employees with violations.
June 27, 2011 at 3:50 pm
Like I said, not arguing anything you said. Compliance was not the issue at hand in my scenario.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
June 28, 2011 at 7:01 am
opc.three (6/27/2011)
Like I said, not arguing anything you said. Compliance was not the issue at hand in my scenario.
Setting compliance aside, is even broaching the subject of ancient software and keys forbidden? Forcing the business partner to upgrade may not be allowable, but can you at least ask; pointing out that they're using less secure or insecure software and/or public keys sometimes works, especially if you can offer a free alternative (GPG, perhaps with the http://gpg4win.org/[/url] installer).
June 28, 2011 at 7:14 am
Nadrek (6/28/2011)
opc.three (6/27/2011)
Like I said, not arguing anything you said. Compliance was not the issue at hand in my scenario.Setting compliance aside, is even broaching the subject of ancient software and keys forbidden? Forcing the business partner to upgrade may not be allowable, but can you at least ask; pointing out that they're using less secure or insecure software and/or public keys sometimes works, especially if you can offer a free alternative (GPG, perhaps with the http://gpg4win.org/[/url] installer).
We're pretty much fully derailed here, I hope the OP got what they were after, but since you ask, I did ask and did offer up gpg! That's the thing about flaming people Nadrek, you weren't there! The partner paid something like $3K for their commercial PGP application and built a ton of infrastructure around it in the form of an automated secure file intake/outtake system. Sure, here I come with "can you switch everything to use this $0 option?". In my scenario we were using their public key to encrypt and send to them and they created their key using Idea, and claimed they had no other option due to aforementioned infrastructure in place.
I alluded to what a PITA it was to recompile gpg.exe on a Windows platform for purposes of manually including the idea.c file in the build. Also, you were correct when you talked about manually altering the available list of ciphers, I had to do that too. So yes, I asked, and then I begged, but at the end of the day I implemented and supported Idea.
If I am choosing an "Enterprise solution" (and I know that term is controversial in and of itself) I want to make sure it can handle as many scenarios as possible out of the box. If I run into another "ancient" partner out there, and I am sure there are tons still using Idea, I don't want to have to cobble something together on the fly if I could have chosen something that would handle it natively. I want whatever I choose to be able to handle the cipher du jour and maybe a few whose good days are behind them.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
June 28, 2011 at 12:01 pm
In most cases when dealing with these ancient partners you can only push them so far, however, internally you have more leverage. If you report out that their security is extremely deficient and can/will potentially cause compliance issues with X, your higher ups are in a better position to push or to drop the vendor. If I'm forced to implement something that in all likelyhood will be non-compliant I want it in writing that I am being directed to do this. It might not keep me from getting fired when it hits the fan but at least I could defend myself legally if I had to. But long before it gets to that I would try and get us into at least an old algorithm, just not ancient.. I try to avoid legal issues for my company and myself.
CEWII
Viewing 8 posts - 16 through 22 (of 22 total)
You must be logged in to reply to this topic. Login to reply