FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-10-2008, 08:26 AM
Nathaniel Homier
 
Default SSH private keys, dangerous to carry around or not. Was Where do you run ssh-keygen

Sudev Barar wrote:

2008/6/10 Nathaniel Homier <nathaniel.homier@bresnan.net>:

all is well. I carry my public and private key on my thumb drive and the
private key is protected with a passphrase.

Whoops .. do not carry your private key around. No. Keep it somewhere
only you can access and rsik of loosing it is zilch - almost.


I have the private key backed up on a desktop computer. The pass phrase was
generated with a high quality pseudo-random number generator using 20
characters consisting of letters, numbers and symbols. The key strength is
4096 and is rsa.


Yes, but if you are carrying private key in your pen drive and you
loose it or some one copies it your total security is compromised
howsoever strong encryption algorithm was used to generate the key
pair.
I was under the impression that the pass phrase encrypted the file and
that to make use of the private key I would have to supply my pass
phrase, so I thought the private key was useless without the pass
phrase. The 4096 bit just means that it would be pretty much impossible
with todays tech to brute force the pass phrase, even more so since I
use 20 characters. Every time I use the private key I have to supply
the pass phrase or I won't be able to connect to the ssh server. But I
could be wrong.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-10-2008, 05:02 PM
Nathaniel Homier
 
Default SSH private keys, dangerous to carry around or not. Was Where do you run ssh-keygen

Jochen Schulz wrote:

Nathaniel Homier:

Sudev Barar wrote:

Yes, but if you are carrying private key in your pen drive and you
loose it or some one copies it your total security is compromised
howsoever strong encryption algorithm was used to generate the key
pair.
I was under the impression that the pass phrase encrypted the file and
that to make use of the private key I would have to supply my pass
phrase, so I thought the private key was useless without the pass
phrase.


Correct.

The 4096 bit just means that it would be pretty much impossible
with todays tech to brute force the pass phrase,


No, 4096 bit is the length of the key. Such a key is resistant to brute
force ("guessing it"). If someone has your key (encrypted with your
passphrase), the target of a brute force attack is obviously your
passphrase because it would reveal your key unencrypted.

J.


Thanks for the key length explanation.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-10-2008, 05:17 PM
Tzafrir Cohen
 
Default SSH private keys, dangerous to carry around or not. Was Where do you run ssh-keygen

On Tue, Jun 10, 2008 at 11:30:40AM +0200, Jochen Schulz wrote:
> Nathaniel Homier:
> > Sudev Barar wrote:
> >>
> >> Yes, but if you are carrying private key in your pen drive and you
> >> loose it or some one copies it your total security is compromised
> >> howsoever strong encryption algorithm was used to generate the key
> >> pair.
> >
> > I was under the impression that the pass phrase encrypted the file and
> > that to make use of the private key I would have to supply my pass
> > phrase, so I thought the private key was useless without the pass
> > phrase.
>
> Correct.
>
> > The 4096 bit just means that it would be pretty much impossible
> > with todays tech to brute force the pass phrase,
>
> No, 4096 bit is the length of the key. Such a key is resistant to brute
> force ("guessing it"). If someone has your key (encrypted with your
> passphrase), the target of a brute force attack is obviously your
> passphrase because it would reveal your key unencrypted.

Actually, the private/public algorithms we normally use (RSA and DSA)
are not as robust to brute-force methods as the symmetric encryption
methods (e.g. AES).

Therefore an RSA key of 512 bits is something that is not considered
safe by any standards, whereas an AES key of 128 bits will probably
withstand brute-force search for quite some time (256 bits keys is
normally recopmmended "to be on the safe side").

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-10-2008, 05:27 PM
Nathaniel Homier
 
Default SSH private keys, dangerous to carry around or not. Was Where do you run ssh-keygen

Tzafrir Cohen wrote:

On Tue, Jun 10, 2008 at 11:30:40AM +0200, Jochen Schulz wrote:

Nathaniel Homier:

Sudev Barar wrote:

Yes, but if you are carrying private key in your pen drive and you
loose it or some one copies it your total security is compromised
howsoever strong encryption algorithm was used to generate the key
pair.
I was under the impression that the pass phrase encrypted the file and
that to make use of the private key I would have to supply my pass
phrase, so I thought the private key was useless without the pass
phrase.

Correct.

The 4096 bit just means that it would be pretty much impossible
with todays tech to brute force the pass phrase,

No, 4096 bit is the length of the key. Such a key is resistant to brute
force ("guessing it"). If someone has your key (encrypted with your
passphrase), the target of a brute force attack is obviously your
passphrase because it would reveal your key unencrypted.


Actually, the private/public algorithms we normally use (RSA and DSA)
are not as robust to brute-force methods as the symmetric encryption
methods (e.g. AES).


Therefore an RSA key of 512 bits is something that is not considered
safe by any standards, whereas an AES key of 128 bits will probably
withstand brute-force search for quite some time (256 bits keys is
normally recopmmended "to be on the safe side").

My private key was generated by PuTTY. And has this at the top:
PuTTY-User-Key-File-2: ssh-rsa Encryption: aes256-cbc. I assume then
that it means the file is encrypted with AES256 and this is high
quality, is this correct? Also what does the cbc mean.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-10-2008, 06:02 PM
 
Default SSH private keys, dangerous to carry around or not. Was Where do you run ssh-keygen

> Tzafrir Cohen wrote:
>> On Tue, Jun 10, 2008 at 11:30:40AM +0200, Jochen Schulz wrote:
>>> Nathaniel Homier:
>>>> Sudev Barar wrote:
>>>>> Yes, but if you are carrying private key in your pen drive and you
>>>>> loose it or some one copies it your total security is compromised
>>>>> howsoever strong encryption algorithm was used to generate the key
>>>>> pair.
>>>> I was under the impression that the pass phrase encrypted the file and
>>>> that to make use of the private key I would have to supply my pass
>>>> phrase, so I thought the private key was useless without the pass
>>>> phrase.
>>> Correct.
>>>
>>>> The 4096 bit just means that it would be pretty much impossible
>>>> with todays tech to brute force the pass phrase,
>>> No, 4096 bit is the length of the key. Such a key is resistant to brute
>>> force ("guessing it"). If someone has your key (encrypted with your
>>> passphrase), the target of a brute force attack is obviously your
>>> passphrase because it would reveal your key unencrypted.
>>
>> Actually, the private/public algorithms we normally use (RSA and DSA)
>> are not as robust to brute-force methods as the symmetric encryption
>> methods (e.g. AES).
>>
>> Therefore an RSA key of 512 bits is something that is not considered
>> safe by any standards, whereas an AES key of 128 bits will probably
>> withstand brute-force search for quite some time (256 bits keys is
>> normally recopmmended "to be on the safe side").
>>
> My private key was generated by PuTTY. And has this at the top:
> PuTTY-User-Key-File-2: ssh-rsa Encryption: aes256-cbc. I assume then
> that it means the file is encrypted with AES256 and this is high
> quality, is this correct? Also what does the cbc mean.

AES (advanced encryption algorithm) 256 (256 bit key) and cbc (cipher
block chaining, an encryption mode in which the plaintext is "blocked",
and each block is encrypted in such a manner that the next block depends
not only on the key but also on the last encrypted block.
Larry
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-10-2008, 06:08 PM
Nathaniel Homier
 
Default SSH private keys, dangerous to carry around or not. Was Where do you run ssh-keygen

owens@peak.org wrote:

Tzafrir Cohen wrote:

On Tue, Jun 10, 2008 at 11:30:40AM +0200, Jochen Schulz wrote:

Nathaniel Homier:

Sudev Barar wrote:

Yes, but if you are carrying private key in your pen drive and you
loose it or some one copies it your total security is compromised
howsoever strong encryption algorithm was used to generate the key
pair.

I was under the impression that the pass phrase encrypted the file and
that to make use of the private key I would have to supply my pass
phrase, so I thought the private key was useless without the pass
phrase.

Correct.


The 4096 bit just means that it would be pretty much impossible
with todays tech to brute force the pass phrase,

No, 4096 bit is the length of the key. Such a key is resistant to brute
force ("guessing it"). If someone has your key (encrypted with your
passphrase), the target of a brute force attack is obviously your
passphrase because it would reveal your key unencrypted.

Actually, the private/public algorithms we normally use (RSA and DSA)
are not as robust to brute-force methods as the symmetric encryption
methods (e.g. AES).

Therefore an RSA key of 512 bits is something that is not considered
safe by any standards, whereas an AES key of 128 bits will probably
withstand brute-force search for quite some time (256 bits keys is
normally recopmmended "to be on the safe side").


My private key was generated by PuTTY. And has this at the top:
PuTTY-User-Key-File-2: ssh-rsa Encryption: aes256-cbc. I assume then
that it means the file is encrypted with AES256 and this is high
quality, is this correct? Also what does the cbc mean.


AES (advanced encryption algorithm) 256 (256 bit key) and cbc (cipher
block chaining, an encryption mode in which the plaintext is "blocked",
and each block is encrypted in such a manner that the next block depends
not only on the key but also on the last encrypted block.
Larry

Thanks very much for the explanation Larry.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 04:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org