[28425] in North American Network Operators' Group
Re: ABOVE.NET SECURITY TRUTHS?
daemon@ATHENA.MIT.EDU (Joshua Goodall)
Sat Apr 29 03:35:25 2000
Date: Sat, 29 Apr 2000 09:32:00 +0200 (CEST)
From: Joshua Goodall <joshua@roughtrade.net>
To: Deepak Jain <deepak@ai.net>
Cc: "Steven M. Bellovin" <smb@research.att.com>,
Chris Cappuccio <chris@dqc.org>,
"Mr. James W. Laferriere" <babydr@baby-dragons.com>,
"Greene, Dylan" <DGreene@navisite.com>,
"'Paul Froutan'" <pfroutan@rackspace.com>, rmeyer@mhsc.com,
nanog@merit.edu
In-Reply-To: <Pine.BSF.4.21.0004282344340.25013-100000@aries.ai.net>
Message-ID: <Pine.BSF.4.21.0004290910540.9834-100000@juice.shallow.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> Since we are going into a description of cryptography, we might as well
> bring up that since the random number generator used to generate the
> supposedly random RSA key pair _is_ predictable ... [split]
This statement is a litle too broad. I would contest that the design of,
say, FreeBSD's /dev/random permits sufficient entropy collection to
usefully initialise a strong hashing algorithm with a non-predictable
vector.
> [split] ... the whole idea of perfect security is improbable at best;
> the exercise does make it difficult for people with only a casual
> interest in your operations to directly compromise them.
This statement hits the mark, but I like to be explicit, to scare security
neophytes: if you have ever crossed-over passwords, shared them between
two systems, or made any kind of assumption that means the security of one
password has depended on the security of another then all such linked
accounts passwords are potentially compromised simultaenously.
If you're paranoid enough to accept that, then :
a) maybe your security could be good enough
b) perhaps you should consider using SSH key agents rather than passwords.
- joshua
