Re: Pub/priv key security
From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 12/08/03
- Next message: LHradowy: "Re: Trapping banner displayed by sshd during ssh / scp?"
- Previous message: JS: "error: setsockopt SO_KEEPALIVE: Invalid argument"
- In reply to: roberto2312_at_hotmail.com: "Pub/priv key security"
- Next in thread: lyal: "Re: Pub/priv key security"
- Reply: lyal: "Re: Pub/priv key security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 08 Dec 2003 16:16:33 GMT
"roberto2312@hotmail.com" <roberto2312@hotmail.com> writes:
> I have a small (security question:
> how many pub/priv key is more secure
> against password access?
>
> Is true that a 512bit pub/priv key is
> ~10times more secure than a 10 char pwd
> (5bit*10=50bit 512/50=~10) against
> brute-force attack?
side note regarding rsa-576
http://slashdot.org/articles/03/12/07/235214.shtml?tid=126&tid=172&tid=93
misc. general observations
1) pin/password is shared secret. evesdropping/skimming/harvesting the
pin/password allows impersonation.
2) public/private key is non-shared secret. evesdropping digital
signatures doesn't allow for impersonation (other than replay
attacks). skimming/harvesting public key at server doesn't allow for
impersonation
3) pin/password being a shared secret paradigm (because of #1)
requires unique shared secret for every security domain ... leading to
scores of pin/passwords that each human needs to remember
4) public/private key (directly) is non-shared secret paradigm ... and
can be used to help mitigate human factor problems with having to
remember socres of pin/passwords.
Frequently there is a pin/password that is required to decrypt/access
the private key .... however this is nominally within the context of a
person's private environment and therefor not a "shared secret" but a
"non-shared-secret" (i.e. there is only a single pin/password rather
than unique pin/password for every infrastructure that the
public/private key is to be used).
There has been some observations that recent exploits have been 1/3rd
buffer overflows, 1/3rd automated viruses/trojans, and 1/3rd phishing
and/or social engineering.
phishing shared-secret pin/password allows attacker to directly
impresonate. phishing private key pin/password doesn't directly do the
attacker any good unless they can also obtain the entity's private key
container (software file or hardware token) ... aka it becomes
two-factor authentication ("something you have" and "something you
know") rather than simple single-factor authentication, and more
specifically a shared-secret "something you know" paradigm that is
part of the human factors problem with scores of shared secrets.
lots of past threads on fraud, exploits, vulnerabilities:
http://www.garlic.com/~lynn/subpubkey.html#fraud
part of thread in sci.crypt that had wandered into issue of key
strengths and attacks on keys:
http://www.garlic.com/~lynn/2003o.html#46
recent threads referencing various aspects of three-factor
authentication and shared-secret vis-a-vis non-shared-secret paradigm:
http://www.garlic.com/~lynn/2003o.html#3
http://www.garlic.com/~lynn/2003o.html#4
http://www.garlic.com/~lynn/2003o.html#8
http://www.garlic.com/~lynn/2003o.html#9
http://www.garlic.com/~lynn/2003o.html#17
http://www.garlic.com/~lynn/2003o.html#22
http://www.garlic.com/~lynn/2003o.html#29
http://www.garlic.com/~lynn/2003o.html#35
http://www.garlic.com/~lynn/2003o.html#44
and some past postings on assurance
http://www.garlic.com/~lynn/subtopic.html#assurance
-- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
- Next message: LHradowy: "Re: Trapping banner displayed by sshd during ssh / scp?"
- Previous message: JS: "error: setsockopt SO_KEEPALIVE: Invalid argument"
- In reply to: roberto2312_at_hotmail.com: "Pub/priv key security"
- Next in thread: lyal: "Re: Pub/priv key security"
- Reply: lyal: "Re: Pub/priv key security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
