Re: Security Practices
From: Nigel Stepp (stepp_at_atistar.net)
Date: 05/17/05
- Previous message: Foster, Dale: "RE: x11 forwarding problems"
- In reply to: David Busby: "Security Practices"
- Next in thread: Bryan McAninch: "RE: Security Practices"
- Reply: Bryan McAninch: "RE: Security Practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 May 2005 13:14:22 -0400 To: David Busby <busby@edoceo.com>
David Busby wrote:
> List,
> I'm trying to get my a sshd setup as secure as possible, some folks I
> know what to send financial data over this.
...
> aes256-cbc cipher (only)
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
You may want to be aware of this paper. I believe the results are still
preliminary, but it's something to follow.
> I'm thinking that
> I'll make my key 4096bits to add some security.
Heh, is your name Avi? (cryptonomicon reference, couldn't resist)
That's probably overkill, but that assumes no codebreaking paradigm
shifts or what have you.
> Assume best means most secure even at
> the sacrifice of performance. Thanks!
If you're going to use 4096 bit keys, you may want to move away from md5
as a hashing algorithm, since it has been shown to have some measure of
weakness. You might look at SHA256, SHA512, or something like
whirlpool. I'm not an expert, however, and I'm not sure how proven
whirlpool really is (or about the measure of support of these hashes in
ssh).
> /djb
-- :wq
- Previous message: Foster, Dale: "RE: x11 forwarding problems"
- In reply to: David Busby: "Security Practices"
- Next in thread: Bryan McAninch: "RE: Security Practices"
- Reply: Bryan McAninch: "RE: Security Practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
