nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: de-peering for security sake

From: Matthew Petach <mpetach () netflight com>
Date: Sat, 26 Dec 2015 22:06:29 -0800
On Sat, Dec 26, 2015 at 6:37 PM, Owen DeLong <owen () delong com> wrote:

On Dec 26, 2015, at 15:54 , Baldur Norddahl <baldur.norddahl () gmail com> wrote:


[...]


The key approach is still better. Even if the password is 123456 the
attacker is not going to get in, unless he somehow stole the key file.


Incorrect… It is possible the attacker could brute-force the key file.

A 1024 bit key is only as good as a ~256 character passphrase in terms of entropy.

If you are brute force or otherwise synthesizing the private key, you do not need
the passphrase for the on-disk key. As was pointed out elsewhere, the passphrase
for the key file only matters if you already stole the key file.

In terms of guessing the private key vs. guessing a suitably long pass phrase, the
difficulty is roughly equivalent.


Intriguing point.   I was thinking about it
from the end-user perspective; but you're
right, from the bits-on-the-wire perspective,
it's all just a stream of 1's and 0's, whether
it came from a private key + passphrase
run through an algorithm or not.

Thanks for the reminder to look at it from
multiple perspectives.  ^_^


Matt
Previous By Date Next
Previous By Thread Next

Current thread: