From owner-freebsd-security Thu Aug 29 0:12:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B750D37B400 for ; Thu, 29 Aug 2002 00:12:13 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id 410C143E4A for ; Thu, 29 Aug 2002 00:12:12 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 54021 invoked by uid 1000); 29 Aug 2002 07:12:32 -0000 Date: Thu, 29 Aug 2002 09:12:32 +0200 From: "Karsten W. Rohrbach" To: "Perry E. Metzger" Cc: mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829091232.A53344@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , "Perry E. Metzger" , mipam@ibb.net, Matthias Buelow , =?iso-8859-1?Q?Stefan_Kr=FCger?= , freebsd-security@FreeBSD.org, tech-security@netbsd.org, misc@openbsd.org References: <20020828200748.90964.qmail@mail.com> <3D6D3953.6090005@mukappabeta.de> <20020828224330.GE249@localhost> <87k7mamc2s.fsf@snark.piermont.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <87k7mamc2s.fsf@snark.piermont.com>; from perry@piermont.com on Thu, Aug 29, 2002 at 02:08:27AM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Perry E. Metzger(perry@piermont.com)@2002.08.29 02:08:27 +0000: > I do. If someone with millions of dollars to spend on custom designed > hardware wants to break into your computer, I assure you that > increasing the size of your ssh keys will not stop them. Nor, for that you missed the concept behind crypto in general, i think. it's not about stopping someone from accessing private resources, but rather making that approach to make access to these resources /very/ unattractive, by increasing the amount of time (and thus $$$) an attacker has to effort to get access. > matter, would the slow and tedious process of cracking your ssh keys > be nearly as efficient as the more pragmatic alternatives. the slower, the better, as a direct consequence of my last paragraph. > That said, those running on newer hardware can probably reasonably use > larger keys if they wish. increasing the server's key width imposes a higher processing cost for the initial handshake. efficiency of the cipher used for transit encryption is not directly affected. regards, /k --=20 > Hackers know all the right MOVs. WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bclgs5Nr9N7JSKYRAl8AAJ9dhYWcjTJISSlHe6CcgtN260zwjACfcqMU 7hEFoxpqdhX75nCvqd8TgJY= =VVrX -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message