Summary: This show in all about Beast Attack on SSL, Cisco Nexus network designs and limitations of the FEX switching, and a bitch slap between MrsY and Greg on DNS Load Balancers. This is the second half of the show recorded on the 25th Sep, 2011. You can find the first show. Beast Attack on SSL. MrsY says: Felt so depressed after reading about the new SSL vuln, that I didn’t even want to go to work the next day. I can’t figure out what we’re doing anymore. Why aren’t we deploying TLS 1.1 and 1.2?! Everyone knew this was coming. “...Short for Browser Exploit Against SSL/TLS, BEAST performs what's known as a chosen plaintext-recovery attack against AES encryption in earlier versions of SSL and its successor TLS, or transport layer security. The technique exploits an encryption mode known as cipher block chaining, in which data from a previously encrypted block of data is used to encode the next block.” http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ Pretty good post on mitigating the threat and what it means Saw some figures from Ivan Ristic’s site regarding the prevalence of older (vulnerable) versions of SSL and TLS: http://blog.ivanristic.com/2011/09/ssl-survey-protocol-support.html And from the God of Crypto (i.e. Blowfish), Bruce Schneier: “The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage. Using the known text blocks, BEAST can then use information collected to decrypt the target's AES-encrypted requests, including encrypted cookies, and then hijack the no-longer secure connection. That decryption happens slowly, however; BEAST currently needs sessions of at least a half-hour to break cookies using keys over 1,000 characters long. The attack, according to Duong, is capable of intercepting sessions with PayPal and other services that still use TLS 1.0which would be most secure sites, since follow-on versions of TLS aren't yet supported in most browsers or Web server implementations.” Adaptive chosen-plaintext attack, where the cryptanalyst makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions. http://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html “The chosen plaintext-recovery at the heart of BEAST attacks algorithms that use a mode known as CBC, or cipher block chaining, in which information from a previously encrypted block of data is used (as an IV) to encode the next block. CBC is present in both AES and DES, but not in RC4.” http://www.theregister.co.uk/2011/09/23/google_ssl_not_vulnerable_to_beast/ And finally, best analysis of how BEAST works by the Tor developers. https://blog.torproject.org/blog/tor-and-beast-ssl-attack Cisco Nexus Switch Designs Ethan says I met with Cisco this week to design a small Nexus core/agg/access. We could talk through why they guided me the way they did. AKA, why is the 7K lagging behind the 5K in features? Shouldn’t the 5K be the leader? Or is it all about the non-blocking? How come FEXen can’t dual-home to a pair of 7Ks? And does it matter? Etc. Using DNS Load Balancers or BIND to manage DNS domains MrsY and Greg go head to head on whether BIND is better than using DNS Load Balancer appliances for managing DNS domains. Talked about F5 GTM, NetScaler Global DNS, Cisco GSLB or using a managed DNS service.
