Can encryrpted packets be cracked by middle man?

[Georgia Sam]

This is a question about how secure encryption is.

I've allowed several users to install LogMeIn (web based remote access tool.
I suppose it's similar to GoToMyPC.) on their local computers. I have one
particular question about the security of their connection (which uses 128
or 256 bit encryption & SSL & proxy servers.);

Would it be at all possible for someone who has complete control of their
servers to intercept and read the encrypted packets between client PCs (for
example by cracking the passwords)?

I assume they it's virtually impossible. But someone brought it up at the
office and I'm not able to clearly and definitively prove them wrong.

Thanks,

BobK

 

[Wolf Kirchmeir]

This is a question about how secure encryption is.

I've allowed several users to install LogMeIn (web based remote access tool.
I suppose it's similar to GoToMyPC.) on their local computers. I have one
particular question about the security of their connection (which uses 128
or 256 bit encryption & SSL & proxy servers.);

Would it be at all possible for someone who has complete control of their
servers to intercept and read the encrypted packets between client PCs (for
example by cracking the passwords)?

I assume they it's virtually impossible. But someone brought it up at the
office and I'm not able to clearly and definitively prove them wrong.

Thanks,

BobK

A 128 bit key can be broken relatively easily, as these things go, a 256
bit key takes a little longer. Encryption is like a good lock on your
door: it won't stop someone who has decided they must get into your home
regardless, but it offers enough hassle and delay to dissuade 99.99%+ of
the bad hats.

Do you have enemies who are bent on destroying you? If so, worry.
O'wise, the security offered is more than enough.

 

[Dave Nickason [SBS MVP]]

Sorry to disagree. Part of this depends on the type of encryption used, but
good 128-bit encryption is far from trivial to break. Check out this FAQ
http://www.nist.gov/public_affairs/releases/aesq&a.htm. Here's a relevant
quote:

16. What is the chance that someone could use the "DES Cracker"-like
hardware to crack an AES key?
In the late 1990s, specialized "DES Cracker" machines were built that could
recover a DES key after a few hours. In other words, by trying possible key
values, the hardware could determine which key was used to encrypt a
message.

Assuming that one could build a machine that could recover a DES key in a
second (i.e., try 255 keys per second), then it would take that machine
approximately 149 thousand-billion (149 trillion) years to crack a 128-bit
AES key. To put that into perspective, the universe is believed to be less
than 20 billion years old.

 

[Wolf Kirchmeir]

Sorry to disagree. Part of this depends on the type of encryption used, but
good 128-bit encryption is far from trivial to break. Check out this FAQ
http://www.nist.gov/public_affairs/releases/aesq&a.htm. Here's a relevant
quote:

16. What is the chance that someone could use the "DES Cracker"-like
hardware to crack an AES key?
In the late 1990s, specialized "DES Cracker" machines were built that could
recover a DES key after a few hours. In other words, by trying possible key
values, the hardware could determine which key was used to encrypt a
message.

A few hours is a very short time to crack a code.

Assuming that one could build a machine that could recover a DES key in a
second (i.e., try 255 keys per second), then it would take that machine
approximately 149 thousand-billion (149 trillion) years to crack a 128-bit
AES key. To put that into perspective, the universe is believed to be less
than 20 billion years old.

Thanks, I forgot about the difference between DES and AES (not that I
have more than casual knowledge of these things.) Like I said, it takes
a little longer...

My point was that the OP needn't worry about encrypted data being read
by 3rd parties, a point which your information strengthens, so thanks
for that, too.

There is an implication in the OP's question that perhaps should be
addressed. The OP's question IMO could be paraphrased as, "Is there are
_practical_ risk that encrypted data can be read by a third party?", and
to that the answer is No. Even rather weak encryption schemes are enough
of a hassle that the decrypter must have a good reason for cracking the
key, but that would imply that some prior knowledge of the data's value.
If that knowledge is out there, you have more security problems than can
be addressed by data encryption alone.

 

[William Stacey [MVP]]

We must also remember that depending on how and what is being sent, you may
not need to crack it, you may just need to capture it and reuse it. Also
have to worry about reply attacks. If a user just encrypts his password
with AES and sends that on the wire, I don't need to crack AES, as I have
the pw equiv. So I can just create my own logon session using the encrypted
bytes. Example of not climing up the wall, but just walking around it. One
reason why good security is hard. There are so many attack vectors to think
about. The security protocol needs to looked at as a whole.

 

[Wolf Kirchmeir]

We must also remember that depending on how and what is being sent, you may
not need to crack it, you may just need to capture it and reuse it. Also
have to worry about reply attacks. If a user just encrypts his password
with AES and sends that on the wire, I don't need to crack AES, as I have
the pw equiv. So I can just create my own logon session using the encrypted
bytes. Example of not climing up the wall, but just walking around it. One
reason why good security is hard. There are so many attack vectors to think
about. The security protocol needs to looked at as a whole.

Thanks for these comments, good points all, and a salutary reminder that
no matter how carefully you protect yourself, someone will find a weak
spot. To catch a thief, think like a thief....

 

[Colin Nash [MVP]]

This is a question about how secure encryption is.

I've allowed several users to install LogMeIn (web based remote access
tool.
I suppose it's similar to GoToMyPC.) on their local computers. I have one
particular question about the security of their connection (which uses 128
or 256 bit encryption & SSL & proxy servers.);

Would it be at all possible for someone who has complete control of their
servers to intercept and read the encrypted packets between client PCs
(for
example by cracking the passwords)?

I assume they it's virtually impossible. But someone brought it up at the
office and I'm not able to clearly and definitively prove them wrong.

Thanks,

BobK

I would be more concerned about their home PC becoming compromised and
thereby allowing someone to install a keylogger and/or screen viewer, and
then be able to get into the work system. without the need to crack
encryption. How important this threat is depends on what business you are
in... for example I would cringe if you were part of a law enforcement
agency or something =)

There's also plenty of (free) remote control software - like VNC or even
built-in to Windows- that don't require middleman servers. They might take
a bit more work on your part to allow through your firewalls securely
though.

To answer your specific question... is it possible for the middle man to
decrypt the information? Well that depends on how they have written their
program and set up their systems Have you looked at the source code of
their client and server apps?

 

[Alan]

I would be more concerned about their home PC becoming compromised
and thereby allowing someone to install a keylogger and/or screen
viewer, and then be able to get into the work system. without the
need to crack encryption. How important this threat is depends on
what business you are in... for example I would cringe if you were
part of a law enforcement agency or something =)

This is something that I have had concerns about recently.

I have clients that allow access to staff, from home, using a VPN
connection and, say, Terminal Server.

I have raised the issue of their staff having malware (keyloggers for
example) on their home PC that steal their network password, and allow
access to the business systems.

Assuming (from your post) that this is a real concern, what do you
suggest that they should do about it?

I can, of course, tell them that they shouldn't allow such access, but
being practical, such advice will not be heeded.

If we work on the premise that they want a solution that allows staff
remote access, but gives reasonable protection, then what would be the
best approach?

Thanks,

Alan.



--
The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

(e-mail address removed)

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address

 

[Bob I]

Provide said staff with a locked down and protected company PC for
business use at home.

 

[Paul Kelly]

At work we use two-factor authentication using RSA SecureID "keyfobs" in
conjunction with Citrix Metaframe for remote access. They have a PIN number
that changes every 60 seconds so you can log all they keystrokes you like,
the last 6 will only ever be valid for a maximum of 60 seconds, often much
less.

They can be used in other solutions as well, such as directly managing
Windows login credentials.

More info at http://www.rsasecurity.com

Paul

 

[Colin Nash [MVP]]

At work we use two-factor authentication using RSA SecureID "keyfobs" in
conjunction with Citrix Metaframe for remote access. They have a PIN
number that changes every 60 seconds so you can log all they keystrokes
you like, the last 6 will only ever be valid for a maximum of 60 seconds,
often much less.

That certainly helps... it's certainly more of an enterprise solution. I'm
also thinking about whether the keystrokes/screenshots themselves would
reveal sensitive info (what the user typed, what is on the screen.) Again,
whether this is a big deal or not depends on the type of business one is in.

 

[Alan]

Provide said staff with a locked down and protected company PC for
business use at home.

Hi Bob,

Neat idea, but I suspect it is not very practical in terms of cost and
staff aren't going to want another PC at home (I wouldn't - my wife
would kill me!)

I should have been more precise in terms of what to do within the
prameters of existing hardward setup.

Thanks,

Alan.

 

[Alan]

That certainly helps... it's certainly more of an enterprise
solution. I'm also thinking about whether the
keystrokes/screenshots themselves would reveal sensitive info (what
the user typed, what is on the screen.) Again, whether this is a
big deal or not depends on the type of business one is in.

I agree - the damage potential is two-fold:

1) Access to the systems by getting passwords

2) 'Seeing' confidential data that is viewed on screen from home by
an employee


The two-factor ID does address the first issue and I will look into
this, but what about the second?

I am now thinking that we have to assist the users in defending their
home PCs (unless we go with Bob's idea of a dedicated machine)?

If so, where do we start??

Alan.

--
The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

(e-mail address removed)

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address

 

[Bob I]

True, the "upfront" costs may be higher, but you DO have control of
what's in the "box" hardware and software wise. Also the possibility
exists of using laptops and docking stations, so one unit can be used at
work and home.

 

[Ian]

True, the "upfront" costs may be higher, but you DO have control of
what's in the "box" hardware and software wise. Also the possibility
exists of using laptops and docking stations, so one unit can be used at
work and home.

Assuming we are talking about a VPN Solution here - If the VPN is setup
correctly - to use the default gateway on the vpn - Surely this simple
step goes a long way to prevent the PC being comprimised during a VPN
session?

This also helps with the "vpn clients who can do things on your network
just becuase they are dialled in"

I see this quite a lot where organisations restrict users from doing
anything across a firewall besides HTTP and HTTPS - however if the user
goes home and creates a vpn connection in they can do whatever they like.

Might be trivial points but thought it was worth chipping in!

Ian

 

[beb]

Sorry if I missed it. Please telling us the number of users on your network
and your basic setup.

There are many products, both hardware and software that do what you want,
including authenticating the connecting client and check for malware before
they are allowed to connect to the network.

It depends on how much you are willing to spend.

You will have to be more specific when dealing with these sought of things.