[pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

James A. Donald jamesd at echeque.com
Thu Oct 10 14:41:56 PDT 2013


On 2013-10-11 00:39, Eugen Leitl wrote:
> ----- Forwarded message from Giles Coochey <giles at coochey.net> -----
> 2. Cipher Selection - we're not all cryptoanalysts, so statements like
> 'trust the math' don't always mean much to us, given the reports in
> the media, what is considered a safe cypher? I recently switched from
> AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2
> to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800.
> Could that be considered overkill? What Cipher's are others using?
> Have any of you, who have been made recently aware of the media
> coverage recently, also changed your cipher selection? What kind of
> changes did you make?

Overkill is a rational and appropriate response to recent revelations.  
NIST is actually out to get you, so you might as well put on a tinfoil 
hat to be on the safe side.  Yes, there really is a gigantic government 
conspiracy, no kidding.

While I am pretty sure AES and SHA 256 is perfectly safe, in view of 
recent events, I would follow the lead of the highly competent 
cryptographer Jon Callas, 
http://www.mail-archive.com/infowarrior@attrition.org/msg10926.html and 
use non NIST algorithms:

Use Twofish in place of AES if convenient to do so, and Skein hash in 
place of SHA hash.





More information about the cypherpunks mailing list