Replace the VPN's encryption algorithm

[Guest]

Hi-

Can someone help me in this? I have a customer who wants 2 remote sites to
connect to each other via VPN but he does not want to use its standard
encryption algorithm. He wants to replce it with a custom algorithm that he
will provide. I 'm not sure if this is feasible or not but if anybody has any
information on this can he please tell me?

Best regards,
Sami Samir
ITWorx

 

[Steven L Umbach]

I have set up some VPNs and read a LOT about them and have never heard or
read about such being possible. I assume he wants to use L2TP?? If so that
already uses ipsec and 3DES [assuming both points support it which
W2000/2003 would by default] which is very robust. Also ipsec periodically
renews the keys [both main and quick mode] used to encrypt data even if the
connection is persistent which would make it extremely [I don't like to say
never ever] unlikely that any VPN data could be compromised. Otherwise he
may want to look into third party endpoint hardware devices that use ipsec
and certificate authentication possibly offering AES but then he will give
up the flexibility of Windows Server VPN such as Remote Access Policies and
user authentication if that is important. --- Steve

 

[Alun Jones]

Can someone help me in this? I have a customer who wants 2 remote sites to
connect to each other via VPN but he does not want to use its standard
encryption algorithm. He wants to replce it with a custom algorithm that he
will provide. I 'm not sure if this is feasible or not but if anybody has any
information on this can he please tell me?

Aside from whether it's possible, is it even desirable?

Why does the customer believe that the standard algorithm is inferior to the
custom algorithm?

If the customer is good enough at cryptography to generate his own custom
algorithm (and chances are almost certain that he is not), shouldn't he know
enough about crypto to be able to find out how to do this replacement?

If the customer has had the crypto written by an outside source - the question
again comes - if the source is that good that they've written a better crypto,
why are they coming to you to ask how to interface it into the VPN?

My guess is that the customer believes that their use of a standard encryption
algorithm puts them at risk from people who know the algorithm. It may be
your best track to advise your customer that the crypto on his VPN is designed
to use a _public_ algorithm, with a _private_ key. The widely-spread
knowledge of the algorithm is a part of its security, not a reason to believe
it is unsecure.

One of the big rules of crypto is "never roll your own". I studied
Mathematics at Cambridge University (not for long enough to graduate, but
there you go), and I have studied cryptographic algorithms since then. I
still do not believe myself good enough at crypto to design my own algorithm
and believe it would be any better than 3DES.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[Roger Abell [MVP]]

Well, yes I also question the motives and well-reasonedness of this.
But, why I chime in is that I would suspect the VPN from MS is just
tying into the existing crpto infrastructure. If so, isn't it non-trivial
to
get a new algorthim signed (doable by following the regulations with
with MS must comply) so that it can be made available for use ?

 

[Kerry Brown]

Hi-

Can someone help me in this? I have a customer who wants 2 remote
sites to connect to each other via VPN but he does not want to use
its standard encryption algorithm. He wants to replce it with a
custom algorithm that he will provide. I 'm not sure if this is
feasible or not but if anybody has any information on this can he
please tell me?

Best regards,
Sami Samir
ITWorx

I don't know if it's possible with Windows but may be with special harware.
A Google finds lots of possibilities.

http://www.google.com/search?hl=en&q=vpn+"custom+encryption"&btnG=Google+Search

Kerry

 

[Guest]

I appreciate all your replies. The problem is that the customer already has
the setup so the idea of providing additional hardware should be the last
option. Also, it is correct that the customer's request is due to the fact
that he wants to have a more secure communication between these remote sites.
Whether or not this is a good idea, changing the algorithm is one of his main
priorities.

Now, I want to ask more specific questions:
* Does the Extensible Authentication Protocol (EAP) have anything to do with
this. I read that I can provide a custom developed plug-in for my own
authentication protocol but I'm not sure if this includes anything related to
encryption?
* Is it feasible to build a client application that will perform the
encryption and decryption of the data before sending it over the
communication layer via VPN?

The whole idea is that there is a web site deployed in one of these sites
that has 2 modes: one for guest users and another for administrators. There
are administrators from the other remote site who need to access the site but
for security purposes they can only access it through an internal port, so
they have to connect via VPN. The customer wants to add additional security
by changing the encryption algorithm to make sure that all the security of
the communication that occurs is not compromised.

Again, I appreciate all your efforts and thanks for your interest.

--
Best regards,
Sami Samir
ITWorx

 

[Kerry Brown]

If the data is that sensitive it shouldn't be available externally at all.
Perhaps I'm being as paranoid as your customer but the only reason I can
think of for doing this is because of the rumours that Microsoft has a
couple of embedded keys hidden in the Windows encryption system that would
allow them or the government to decrypt the data. Only someone doing
something illegal would be worried about this. As to the technical side of
it the only method I can see to accomplish your goal is to write your own
encryption routine and encrypt the data your self before the MS encryption
sees it. In other words it would be encrypted twice, once by your
application, then again by Windows.

Kerry

 

[Steven L Umbach]

From what I know that can not be done via EAP which is for authentication
methods. You might consider using Remote Desktop through a L2TP VPN as then
you will have two layers of encryption. I can't imagine why he would not
settle for something like that as being secure enough. You also could use
ipsec [ESP/AH] to protect traffic from the VPN server to the target server
if needed. The link below has a link to a white paper that explains
security enhancements of Remote Desktop/TS in W2003 SP1. --- Steve

http://www.microsoft.com/windowsserver2003/technologies/terminalservices/default.mspx

 

[Seeker]

The whole idea is that there is a web site deployed in one of these sites
that has 2 modes: one for guest users and another for administrators. There
are administrators from the other remote site who need to access the site but
for security purposes they can only access it through an internal port, so
they have to connect via VPN. The customer wants to add additional security
by changing the encryption algorithm to make sure that all the security of
the communication that occurs is not compromised.

Again, I appreciate all your efforts and thanks for your interest.

This sounds a lot like his attempt will reduce security. Insist that he
use a peer-reviewed, open algorithm. What he should be concerned with
is not necessarily the algorithm, but the proper management of keys
and/or certificates.