[Beowulf] Re: "hobbyists"

Robert G. Brown rgb at phy.duke.edu
Thu Jun 19 13:26:49 EDT 2008


On Thu, 19 Jun 2008, Perry E. Metzger wrote:

> I can log in using your credentials if I have your private key and you
> are using SSH with public key authentication. However, even if I have
> both of your private and public keys, the ephemeral key used for a
> particular session is agreed to using Diffie-Hellman key exchange, and
> mere knowledge of your long term keys will not allow anyone to read
> your session traffic. This property is known as "Perfect Forward
> Secrecy." (Technically, this is only true of sshv2 -- sshv1 used
> random nonces exchanged under RSA for the key material, but sshv1
> is no longer in wide use because it has a number of security issues.)

They do enable man in the middle attacks, however, so that while your
connection cannot be snooped "passively", somebody in the middle (say,
in possession of any intermediary router) can pretend to be both sides
by establishing simulations of the connections requested and forwarding
the traffic.

Similarly, if somebody has both my public and private keys they very
likely can get into my system and insert trojans into it and directly
snoop everything I do, access kmem, own my view of the universe through
completely bugged network and peripheral eyes. Encryption is never any
better than the physical and network and systems security on which it is
implemented, as it is a weak-link problem.

But otherwise sure.  Similar things for WPA vs WEP as I recall -- WEP
doesn't change the ephemeral keys.  But encryption is more a hobby
associated with my interest in information theory and random numbers
than a speciality.  I didn't realize that they'd made 1024 bit keys
vulnerable at this point.  I'm guessing that "vulnerable" still means
"vulnerable to people with obscene amounts of free computer time and
not enough to do" as opposed to "vulnerable" as in airsnort makes WEP
vulnerable to pimply faced kids with old laptops, but still, worth
knowing, thanks!

    rgb

-- 
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Beowulf mailing list