[186650] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Matthew Petach)
Sun Dec 27 01:06:41 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <2BFCFFB2-9D23-4851-9C5D-F8C66C8D193C@delong.com>
Date: Sat, 26 Dec 2015 22:06:29 -0800
From: Matthew Petach <mpetach@netflight.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sat, Dec 26, 2015 at 6:37 PM, Owen DeLong <owen@delong.com> wrote:
>> On Dec 26, 2015, at 15:54 , Baldur Norddahl <baldur.norddahl@gmail.com> =
wrote:
>>
[...]
>> The key approach is still better. Even if the password is 123456 the
>> attacker is not going to get in, unless he somehow stole the key file.
>
> Incorrect=E2=80=A6 It is possible the attacker could brute-force the key =
file.
>
> A 1024 bit key is only as good as a ~256 character passphrase in terms of=
entropy.
>
> If you are brute force or otherwise synthesizing the private key, you do =
not need
> the passphrase for the on-disk key. As was pointed out elsewhere, the pas=
sphrase
> for the key file only matters if you already stole the key file.
>
> In terms of guessing the private key vs. guessing a suitably long pass ph=
rase, the
> difficulty is roughly equivalent.
Intriguing point. I was thinking about it
from the end-user perspective; but you're
right, from the bits-on-the-wire perspective,
it's all just a stream of 1's and 0's, whether
it came from a private key + passphrase
run through an algorithm or not.
Thanks for the reminder to look at it from
multiple perspectives. ^_^
Matt
