[186657] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Dec 27 03:39:16 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAPkb-7CJ1K-=7k1qM+HEujPP0=qcSY1EPQiKU5SUOQzKGDRLug@mail.gmail.com>
Date: Sun, 27 Dec 2015 00:38:06 -0800
To: Baldur Norddahl <baldur.norddahl@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Dec 26, 2015, at 20:35 , Baldur Norddahl =
<baldur.norddahl@gmail.com> wrote:
>=20
> Owen you misunderstood what two factor is about. It is not practical =
to
> brute force the key file. Nor is it practical to brute force a good
> passphrase or password. Both have sufficient strength to withstand =
attack.
This simply isn=E2=80=99t as true as it=E2=80=99s assumed to be, but =
let=E2=80=99s move on for the moment.
> But two factor is about having two things that needs to be broken. The =
key
> can be stolen, but the thief needs the password. The password can be
> stolen, but the thief needs the key. He needs both.
If the key file is stolen, you have one search space, the pass phrase to =
unlock the key.
If the key file is not stolen, you have one search space: the key.
> SSH password + key file is accepted as two factor by PCI DSS auditors, =
so
> yes it is in fact two factor.
PCI DSS auditors think that NAT is a form of security, so don=E2=80=99t =
get me started on the
fact that the PCI DSS auditors haven=E2=80=99t a clue about actual =
security. PCI DSS is more
about security theater than security. In some ways, they=E2=80=99re even =
less competent than
the TSA.
> But it is weak two factor because the key file is too easily stolen. =
NOT
> because the key file can be brute forced. Nor because hypothetically
> someone could memorize the content of the key file.
Either way, you only have one search space. If you don=E2=80=99t have =
the key file, then the
key is your search space. If you have the key file, then the passphrase =
may be an
easier search space.
> It is also weak because the key file can be duplicated. Note it does =
not
> stop being two factor because of this, but stronger hardware based two
> factor systems usually come with the property that it is very hard to
> duplicate the key. Other examples of a two factor system were the key =
is
> easy to duplicate is credit card with magnetic strip + pin. Example =
where
> it is hard to duplicate is credit card with chip + pin. Both are =
examples
> of where the password (the pin) is actually very weak, but it is still =
two
> factor.
To actually be two-factor, it needs to be two of something you have, =
something
you know, something you are. The strongest combination is something you =
know
and something you are (e.g. Retina, hand scan, etc. combined with =
PIN/Password).
SSH Key protected by pass phrase is just two things you know. =
Admittedly, one
of them is a thing you know because you stored it on disk instead of =
memorizing
it, but it=E2=80=99s not really something you have because as you =
pointed out, it can be
easily duplicated and also it can be transported without requiring =
physical
movement.
Something you have, in order to truly be a second factor, has to be a =
unique
item that is:
1. In your possession
2. Cannot be (easily) duplicated without your knowledge
(The greater the degree of difficulty for duplication, =
the better this is,
but a Schlage key, for example, is sufficiently =
difficult to qualify in most
cases).
3. Theft can be reliably detected by the fact it is no =
longer in your possession.
An RSA or DSA key does not meet those criteria because it can be copied =
without
your knowledge and without removing the key from your possession.
> Btw, you should not be using RSA anymore and a 1024 bit RSA key does =
not in
> fact have a strength equal to 1024 bits entropy. It was considered =
equal to
> about 128 bit of entropy, but is believed to be weaker now. I am using =
ECC
> ecdsa-sha2-nistp521 which is equal to about 256 bits. Although some =
people
> with tin foil hats believe we should stay away from NIST altogether. =
Unless
> someone breaks the crypto, you are NOT going to brute force that key.
I think you=E2=80=99re the first person to bring up 1024 RSA keys here. =
I only said private
keys. A very large fraction of SSH users are still using 1024 bit DSA =
keys in the
real world. I am still using 2048 bit DSA keys. ECC would be better.
I also didn=E2=80=99t say that a 1024 bit key had 1024 bits of entropy. =
I said that a 1024
bit key and a 256-character pass phrase have about the same entropy. =
There
are about 128 bits of entropy in a good 256 character pass phrase. There =
are
about 128 bits of entropy in a 1024 bit DSA key.
> Yes I get your argument, you are saying break the key and you won't =
need
> the password, but a) you can't actually break the key before the =
universe
> ends, b) it is still two factor, just a extremely tiny in the academic
If you have enough cheap GPUs, you can actually break a 1024 bit key
well before the universe ends. In fact, you can probably break it before
the end of 2016 if you=E2=80=99re willing to put about $30k into the =
process.
> sense little bit weaker two factor. All crypto based two factor =
systems
No, it=E2=80=99s not a second factor. See above=E2=80=A6 It=E2=80=99s =
two things you know and not
something you have and something you know as you have claimed.
Calling a private key something you have instead of something you know
is the same kind of slight of hand that Wall Street uses when they take
a bunch of bad mortgages and package them up together and call it an
AAA rated bond. (and we all saw how well that worked out). If you =
don=E2=80=99t
know what I=E2=80=99m talking about, =E2=80=9CThe Big Short=E2=80=9D is =
worth a watch.
> suffers from the possibility that one could break the crypto and =
possibly
> escape the need to know one or even both factors. But Owen - come one =
-
Nope=E2=80=A6 Something you have isn=E2=80=99t subject to breaking the =
crypto, because
it=E2=80=99s strength doesn=E2=80=99t come from crypto, it=E2=80=99s =
strength comes from unique
physical properties that are difficult to duplicate and can be measured.
Something you are similarly isn=E2=80=99t subject to breaking the =
crypto, because it=E2=80=99s
strength comes from the unique physical properties of an individual =
person
which can be measured and are difficult to duplicate.
Yes, both can be broken and there are weaker and stronger choices. For
example, a hand scanner is weaker than a retina scanner is weaker than
a DNA scanner. Many of the finger print scanners are weaker than the
hand scanners, but good ones are almost as strong as a retina scanner.
> this silly argument pales and is so infinite insignificant to the real
> problem with the ssh key two factor system, which is that the key is =
easily
> stolen and duplicated and there is no way to check the quality of the
> password (users might even change the key password to NO password).
Right=E2=80=A6 That was, in fact, what I originally said at the end of =
my initial
message, but you chose to ignore that and focus on this rathole.
Since misinformation and lack of pedantry is fatal to good cryptographic
security (or good security in general), I felt compelled to correct you =
and
I still stand by what I have said.
Likely, as usual, neither of us is going to convince the other one.
I will say, however, that my understanding of these issues comes from
mentors that work with real security professionals and I would never
cite something as weak as PCI-DSS as an authority.
Most of my mentors in this area work primarily on contracts with three
letter government agencies that may or may not be known to exist =
publicly.
Owen
>=20
> Regards,
>=20
> Baldur
>=20
>=20
> On 27 December 2015 at 03:37, Owen DeLong <owen@delong.com> wrote:
>=20
>>=20
>>> On Dec 26, 2015, at 15:54 , Baldur Norddahl =
<baldur.norddahl@gmail.com>
>> wrote:
>>>=20
>>> On 27 December 2015 at 00:11, Owen DeLong <owen@delong.com> wrote:
>>>=20
>>>> No=E2=80=A6 You are missing the point. Guessing a private key is =
roughly
>>>> equivalent to guessing a really long
>>>> pass phrase. There is no way that the server side can enforce =
password
>>>> protection of the private key
>>>> on the client side, so if you are assuming that public-key
>> authentication
>>>> is two-factor, then you are
>>>> failing miserably.
>>>>=20
>>>=20
>>> The key approach is still better. Even if the password is 123456 the
>>> attacker is not going to get in, unless he somehow stole the key =
file.
>>=20
>> Incorrect=E2=80=A6 It is possible the attacker could brute-force the =
key file.
>>=20
>> A 1024 bit key is only as good as a ~256 character passphrase in =
terms of
>> entropy.
>>=20
>> If you are brute force or otherwise synthesizing the private key, you =
do
>> not need
>> the passphrase for the on-disk key. As was pointed out elsewhere, the
>> passphrase
>> for the key file only matters if you already stole the key file.
>>=20
>> In terms of guessing the private key vs. guessing a suitably long =
pass
>> phrase, the
>> difficulty is roughly equivalent.
>>=20
>>> Technically it is two-factor even if the user made one of the =
factors
>>> really easy. And that might save the day if you have users that =
chooses
>> bad
>>> passwords.
>>=20
>> Technically it=E2=80=99s not two-factor and pretending it is is =
dangerous.
>>=20
>>> The system is weak in that it is too easy to steal the key file. It =
is
>> not
>>> unlikely that a user with sloppy passwords is also sloppy with his =
key
>> file.
>>=20
>> Right=E2=80=A6 No matter what you do it is virtually impossible to =
protect against
>> sloppy
>> users.
>>=20
>> This has been true for decades even before the internet with =
teenagers
>> given house
>> keys.
>>=20
>>> Too bad ssh does not generally support a challenge-response protocol =
to a
>>> write only hardware key device combined with server side passwords =
that
>> can
>>> be checked against a blacklist.
>>=20
>> There=E2=80=99s no reason that it can=E2=80=99t if you use PAM.
>>=20
>> Owen
>>=20
>>=20
