My Cisco Live 2012 program

My Cisco Live 2012 program is below. I was able to select most of the sessions although there were some overlap with one session (something ARC overlapping with another ARC). You might note that the closing keynote is by the guys who play Mythbusters on TV - that'll most likely be a fun filled event! I'll blog about my pre-event feelings if I have the time and interest ;-)

 

Cisco Live 2012

 Personal Schedule

Printed below is your personal schedule.

Sunday
8:00 AM 5:00 PM		TECCOM-2001	Cisco Unified Computing System Technical Day
Monday
8:00 AM 9:30 AM		BRKNMS-2658	Securely Managing Your Networks with SNMPv3
10:00 AM 12:00 PM		BRKSEC-3021	Maximizing Firewall Performance
1:00 PM 3:00 PM		BRKRST-2335	IS-IS Network Design and Deployment
Tuesday
8:00 AM 9:30 AM		BRKRST-2310	Deploying OSPF in a Large-Scale Network
10:00 AM 11:30 AM		GENKEY-4346	Keynote and Welcome Address
12:30 PM 2:30 PM		BRKARC-3470	Cisco Nexus 7000 Switch Architecture
4:00 PM 6:00 PM		BRKSEC-4054	DMVPN Deployment Models
Wednesday
8:00 AM 9:30 AM		BRKSEC-3013	Advanced IPSec with FlexVPN and IKEv2
10:00 AM 11:30 AM		GENKEY-4347	Cisco Technology Keynote
12:30 PM 2:30 PM		BRKSPG-2402	Best Practices to Deploy High-Availability in Service Provider Edge and Aggregation Architectures
4:00 PM 6:00 PM		BRKARC-3471	Cisco NX-OS Software Architecture
Thursday
8:00 AM 9:30 AM		BRKARC-2003	Cisco ASR 9000 Architecture
10:00 AM 11:30 AM		BRKARC-2007	IOS Strategy and Evolution
12:00 PM 1:30 PM		BRKSPG-2404	Energy Efficient Data Center: Best Practices
2:00 PM 3:00 PM		GENKEY-4358	Closing Keynote: An Afternoon with Adam Savage and Jamie Hyneman
3:30 PM 5:30 PM		BRKMPL-3101	Advanced Topics and Future Directions in MPLS

 = Conference Event

We don't understand hashes

At least I don't, nor do I understand math. It only this week dawned to me, that we consistently choose wrong hash for password hashing.

When I started using Linux DES was the standard way to hash your passwd, then it was MD5, now at least Ubuntu is using SHA. And I can bet that in 2 years time SHA-3 (will be selected this year) will be used widely for protecting passwords.

But what were design goals for MD5 and SHA? Design goals are obviously avoidance of collisions and more importantly algorithmic cheapness in terms of computational requirements and ability to implement it cheaply and easily in hardware requiring no branching. So MD5 and SHA are _by design_ simple to brute-force in hardware, even the new SHA-3. You don't want your 'git commit' or 'sha3sum /dev/cdrom' to take days, you want it to be very very fast and very very unlikely to represent any other data.

It should be quite obvious that those requirements are orthogonal to the requirements of password hash. Avoidance of collisions is not critical to password hash and absolutely opposite requirement of computational expensiveness exists for password hash, it needs to be very expensive and it needs to be poorly implementable in cheap hardware.

This only dawned to me, when co-worker was cracking password of one DWDM system and as it was DES we naively assumed it'll be cracked in seconds, but it turns out in CUDA systems DES is hundreds of times slower to crack than MD5 (it might have been that this was apples to oranges unix DES compared to MD5 instead of unix MD5, but doesn't change the fact that hash like bcrypt makes much more sense for passwords than hashes like MD5 or SHA). It was really illuminating moment for me, obviously this is good for general applications of hash, MD5 was designed to be fast (and so will SHA-3), obviously fast to calculate also means fast to brute-force. Only problem here is, that we're not understanding our application when choosing hash for protecting password, MD5 never was designed to be good for that application. Bcrypt is, I'm not familiar with it, I don't really know how good it is, but at least it's designed to be computationally very expensive and as machines get faster you can make it slower and slower without changing the implementation, you'll just give it different parameter.