Re: ssh primer (was Re: pull vs push (was Re: [bk patch] Make cardbus compile in -pre4))

[Aaron Lehmann <aaronl@vitelus.com>]

On Wed, Feb 13, 2002 at 07:22:57PM -0500, Rob Landley wrote:
> In terms of brute forcing the key, the passphrase adds a fairly trivial 
> number of bits to the key.  It's not "far" easer, an 8 character mixed case 
> nonsense password with numbers and punctuation mixed in is still less than 6 
> bits per character, or at best an extra 48 bits.  You can select a 1024 bit 
> key if you want to be really really paranoid.

I agree that it isn't worth it.

I assume that Jeff didn't understand the principles behind public key
cryptography that SSH uses which keep communications secure unless the
private key is compromised (and the private key should never leave
client machine). When you have a passphrase, you encrypt this private
key with a hash of it. Not having a passphrase removes this layer of
security, but if you include the passphrase in a script for automatic
use you're undoing any advantage that a passphrase gives you in the
first place.

In short, to compromise a private key without access to that key
(which presumably only you would have if the key was on your system,
and you must assume that if someone could access your private key they
could access any passphrase you were storing in a script to facilitate
automatic use of it), you'd have to either have unheard of amounts of
computational power and a few millenia on your hands, or come across a
mathematical breakthrough. I certainly hope that Mr. Garzik has not
broken public key cryptography!

Note that you can't compare public key bits to passphrase bits (which
are more like symmetric key bits). You probably know this.

> Not that it's worth it.  Keys get exponentially more difficult to brute force 
> as the key length increases.  I read part of a book a long time ago (might 
> have been called "applied cryptography") that figured out that if you could 
> build a perfectly efficient computer that could do 1 bit's worth of 
> calculation with the the amount of energy in the minimal electron state 
> transition in a hydrogen atom, and you built a dyson sphere around the sun to 
> capture its entire energy output for the however many billion years its 
> expected to last, you wouldn't even brute-force exhaust a relatively small 
> keyspace (128 bits?  256 bits?  Something like that).

That was Applied Cryptography. I believe he said that the energy
output of a supernova was insufficient to cycle a counter through
about 2^190, based on accepted thermodynamic principles and data. Of
course, this makes brute force of something like a 256 bit symmetric
key completely infeasible and bounded by physical law. Not that 128
bits is very shabby, but it only takes a few billion years of all the
current computing power on earth to brute force something like that.