From owner-freebsd-security@FreeBSD.ORG Mon Jun 25 16:09:13 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19C19106567A for ; Mon, 25 Jun 2012 16:09:13 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by mx1.freebsd.org (Postfix) with ESMTP id B187B8FC08 for ; Mon, 25 Jun 2012 16:09:12 +0000 (UTC) Received: by yhq56 with SMTP id 56so3284187yhq.17 for ; Mon, 25 Jun 2012 09:09:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to; bh=FQ9Lay67x5yh3qk8PghGp1Y85nn8zQXY89swRKWmK20=; b=bbQOJ6COW0yL6ZSjFBJAWxqwtIdmXrADONWIVFuvnwbyI+W76//g/3+9dCIQiMgqHZ XFZHBxWpo44GkS+M2GZ+C0n3HHkUEJ0SH/QLnM1a7K7H68E+0ujAIaY0cX9c8PrkoQNb Q5kWvRu9idfvuuao9Uz2GfXwSSm15vOYQO/1Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:x-gm-message-state; bh=FQ9Lay67x5yh3qk8PghGp1Y85nn8zQXY89swRKWmK20=; b=UW6QonoArYrvYKq9/DNwhaSjHxJfFkAyzvVrZv/W+QBCsN/xW1bFum4VRTNqH9fTx4 P1zq50uGzB2YaY0YPIqU9mI79deU4QtwSRv2DM6TZ1JbbxgErr/c5X2CuRQNgE7jnNdL zfhnuQDcKW4Sf7+QuiD6lA75jhBX0SEEc+xKqFAwqV5tPQArmt9OWKq3qXkYaT4iUX5i xj3iAgHAYC//3h0tWA0u5HbmlMUnIBL3g6Z4wbtdc95/nXWa9mf/10KPYRE2N0DxBFxr YtXriPub9VDeCMprPiU3xH+8zkWPeRoZMNYNpfiS5HyPEw+pZtxgVQCXaP6ytEBmhk2i TZoA== Received: by 10.50.161.234 with SMTP id xv10mr8634816igb.66.1340640551912; Mon, 25 Jun 2012 09:09:11 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id nh8sm10569785igc.1.2012.06.25.09.09.11 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 25 Jun 2012 09:09:11 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5PG98bo086345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 25 Jun 2012 12:09:08 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5PG98Js086344; Mon, 25 Jun 2012 12:09:08 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Mon, 25 Jun 2012 12:09:08 -0400 From: "J. Hellenthal" To: RW Message-ID: <20120625160908.GA85086@DataIX.net> References: <86zk7sxvc3.fsf@ds4.des.no> <20120625023104.2a0c7627@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20120625023104.2a0c7627@gumby.homeunix.com> X-Gm-Message-State: ALoCoQnXP+Yk/wx29t3nE8sZufRtj2k9qAR5XR3kTT8Mz4OTQGFAdmS+uARu4Q6s+H147pEokXcU Cc: freebsd-security@freebsd.org Subject: Re: Hardware potential to duplicate existing host keys... RSA DSA ECDSA was Add rc.conf variables... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 16:09:13 -0000 On Mon, Jun 25, 2012 at 02:31:04AM +0100, RW wrote: > On Sun, 24 Jun 2012 17:23:47 -0400 > Robert Simmons wrote: > > > On Sun, Jun 24, 2012 at 5:18 PM, Dag-Erling Smørgrav > > wrote: > > > Robert Simmons writes: > > >> In light of advanced in processors and GPUs, what is the potential > > >> for duplication of RSA, DSA, and ECDSA keys at the current default > > >> key lengths (2048, 1024, and 256 respectively)? > > > > > > You do know that these keys are used only for authentication, and > > > not for encryption, right? > > > > Yes, the encryption key length is determined by which symmetric cipher > > is negotiated between the client and server based on what is available > > from the Ciphers line in sshd_config and ssh_config. > > I'm not very familiar with ssh, but surely they're also used for > session-key exchange, which makes them crucial to encryption. They > should be as secure as the strongest symmetric cipher they need to work > with. This should give you a good outline of it. http://www.linuxjournal.com/article/9566 -- - (2^(N-1))