[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DSN



At 12:47 AM 2/1/96 -0500, you wrote:
>Anyone heard of DSN? I think thats the right order of the initials...
>... its supposedly the only crypto-hardware solution for protecting an 
>entire network on the Internet. You put one of these $5,000 units at one 
>end of a lan, and another one somewhere else on the Internet, and the 
>company gaurantees secure, encrypted transmissions. The TCP/IP headers 
>and data are mangled, encrypted, etc.

Anybody who supposedly makes the "only [whatever-category] hardware solution"
for a problem has either not done their literature searching, is going for
a really obscure market niche, doesn't understand the problem, or
(very rarely) is the first product out on the bleeding edge, or has
had their competitors go out of business on them.  VSLAN (I forget the 
manufacturer) used to make an encrypting Ethernet board for PCs, Suns, etc.,
and did the software work behind it to get a B2 Red Book rating from the NSA.
Boeing had a secure FDDI ring about the same time (~5 years ago.)
Motorola has made several products for encrypting Ethernets, X.25s, and
other networks, which the military buys and likes.  Don't know which of
these are still on the market, and what new toys have appeared.

Meanwhile, the swIPe encrypted/authenticated IP protocol is available,
and the similar IPng security protocols are emerging (i.e. the RFCs are
written and folks are working on reference implementations.)
They'll cost you $0 for software plus a 386-box for Linux, or a used Sun.

>It uses 512bit keys and I was just wondering how the authentication is
>done. Does anyone have any specs on these units? Supposedly it does not
>require a 3rd party entity to verify that the two units are both valid,
>when determining the initial public/key pairs. Perhaps there is hardcoded
>data in the units that is used to verify this? The company supposedly has 
>some proprierty method ... how can we be sure this expensive unit can do 
>its job if information on the encryption has not been released. 

If you can't get the company to show you the protocols, at least under
non-disclosure, ask them if it's NSA-certified and see what the NSA has to say
about it.  512-bit keys seem a bit short for either RSA or Diffie-Hellman
these days...

>[RSA in 5 lines of Scheme, deleted.]
Got any short prime-number generators?
#--
#				Thanks;  Bill
# Bill Stewart, [email protected] / [email protected] +1-415-442-2215
# http://www.idiom.com/~wcs