From owner-freebsd-security Thu Aug 29 2:20:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A45C37B400 for ; Thu, 29 Aug 2002 02:20:29 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id 0886E43E6E for ; Thu, 29 Aug 2002 02:20:28 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 57573 invoked by uid 1000); 29 Aug 2002 09:20:48 -0000 Date: Thu, 29 Aug 2002 11:20:48 +0200 From: "'Karsten W. Rohrbach'" To: "George F. Costanzo" Cc: freebsd-security@FreeBSD.ORG, tech-security@NetBSD.org, misc@openbsd.org Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829112048.B57322@mail.webmonster.de> Mail-Followup-To: "'Karsten W. Rohrbach'" , "George F. Costanzo" , freebsd-security@FreeBSD.ORG, tech-security@NetBSD.org, misc@openbsd.org References: <20020829091232.A53344@mail.webmonster.de> <004c01c24f3a$1508f040$0100a8c0@soap> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="UHN/qo2QbUvPLonB" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <004c01c24f3a$1508f040$0100a8c0@soap>; from afx@pkl.net on Thu, Aug 29, 2002 at 06:57:18PM +1000 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --UHN/qo2QbUvPLonB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable George F. Costanzo(afx@pkl.net)@2002.08.29 18:57:18 +0000: > > you missed the concept behind crypto in general, i think. it's not > > about stopping someone from accessing private resources, but rather > > making that approach to make access to these resources /very/ > > unattractive, by increasing the amount of time (and thus $$$) an > > attacker has to effort to get access. >=20 > Yes, to increase the time/cost in breaking the key to outweigh the cost > of the information that will be gained. one might remark, as a sidenote, that crypto is just one of the building blocks to system security. what if the crypto in use is really tough, but the software framework employing it is full of bugs, or misdesigned is one question. the other question (as raised in the verious discussions around pgp/gpg in the last years) is, that - if somebody wants to access encrypted resources - it might be a better approach for him to get access by brute (physical) force. > If the information you're trying to protect is worth that much to you, > you'll take the extra steps needed to increase key length. Otherwise, > the default will be fine for most users. seconded, whereas the security measures need to go a little further if the resources protected really are /that/ valuable ;-) > Schneier is blowing this out of proportion a little, quoting Lucky's > decision throughout. Lucky is overly paranoid and Schneier knows it. He > also uses the article to bring up (read: plug) his pretty accurate key > length estimates. Schneier's motives have been slightly dubious for > awhile. :-> regards, /k --=20 > A Puritan is someone who is deathly afraid that someone, somewhere, is > having fun. WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed - Unsigned ones might be bogus - http://www.gnupg.o= rg/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --UHN/qo2QbUvPLonB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9bedws5Nr9N7JSKYRAq4HAJwMblJZKg8rdleWtw8rrANTmbkyxQCdGZDg p5kqGrbaDh4Gpl5+WbjxnXQ= =YptX -----END PGP SIGNATURE----- --UHN/qo2QbUvPLonB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message