nanog mailing list archives
Re: de-peering for security sake
From: Matthew Petach <mpetach () netflight com>
Date: Sat, 26 Dec 2015 22:06:29 -0800
On Sat, Dec 26, 2015 at 6:37 PM, Owen DeLong <owen () delong com> wrote:
On Dec 26, 2015, at 15:54 , Baldur Norddahl <baldur.norddahl () gmail com> wrote:
[...]
The key approach is still better. Even if the password is 123456 the attacker is not going to get in, unless he somehow stole the key file.Incorrect… It is possible the attacker could brute-force the key file. A 1024 bit key is only as good as a ~256 character passphrase in terms of entropy. If you are brute force or otherwise synthesizing the private key, you do not need the passphrase for the on-disk key. As was pointed out elsewhere, the passphrase for the key file only matters if you already stole the key file. In terms of guessing the private key vs. guessing a suitably long pass phrase, the difficulty is roughly equivalent.
Intriguing point. I was thinking about it from the end-user perspective; but you're right, from the bits-on-the-wire perspective, it's all just a stream of 1's and 0's, whether it came from a private key + passphrase run through an algorithm or not. Thanks for the reminder to look at it from multiple perspectives. ^_^ Matt
Current thread:
- Re: de-peering for security sake, (continued)
- Re: de-peering for security sake Christopher Morrow (Dec 27)
- Re: de-peering for security sake Mike Hale (Dec 27)
- Re: de-peering for security sake Randy Bush (Dec 27)
- Re: de-peering for security sake Christopher Morrow (Dec 27)
- Re: de-peering for security sake Mike Hale (Dec 27)
- Re: de-peering for security sake Randy Bush (Dec 27)
- Re: de-peering for security sake Owen DeLong (Dec 27)
- Re: de-peering for security sake Baldur Norddahl (Dec 27)
- Re: de-peering for security sake Owen DeLong (Dec 27)
- Re: de-peering for security sake Mike Hale (Dec 27)
- Re: de-peering for security sake Matthew Petach (Dec 26)
- Re: de-peering for security sake Damian Menscher via NANOG (Dec 26)
- Re: de-peering for security sake Valdis . Kletnieks (Dec 26)
- Re: de-peering for security sake James Downs (Dec 27)
- Re: de-peering for security sake Jared Mauch (Dec 26)
- Re: de-peering for security sake Mike Hammett (Dec 26)
- Re: de-peering for security sake Owen DeLong (Dec 26)
- Re: de-peering for security sake Mark Tinka (Dec 25)
- Re: de-peering for security sake Joel Jaeggli (Dec 24)
- Re: de-peering for security sake Max Tulyev (Dec 25)
- RE: Broadband Router Comparisons Keith Medcalf (Dec 24)