[cryptography] can the German government read PGP and ssh traffic?

Von Welch von at vonwelch.com
Tue Jun 5 09:07:55 EDT 2012


> "passwords are insecure, PKCs are secure, therefore anything
> that uses PKCs is magically made secure" 

Well as you said, you have to look at what happens in the real world. I would argue PKCs make things obscure, which buys you a fair amount of security until some undetermined point in time (past or future) when an attacker gets serious enough to understand what you are doing.

Von

On Jun 5, 2012, at 8:11 AM, Peter Gutmann wrote:

> Thierry Moreau <thierry.moreau at connotech.com> writes:
> 
>> Unless automated SSH sessions are needed (which is a different problem
>> space), the SSH session is directly controlled by a user. Then, the private
>> key is stored encrypted on long term storage (swap space vulnerability
>> remaining, admittedly) and in *plaintext*form*only*momentarily* for SSH
>> handshake computations following a decryption password entered by the user. 
> 
> ...except that a user study a few years back ("Inocilating SSH Against Address
> Harvesting") found that two thirds of all SSH private keys were stored in
> plaintext on disk.  You need to look at what actually happens in practice, not
> what in theory should happen in an ideal world.
> 
> In any case though you're completely missing the point of my argument (as did
> the previous poster), which is that a scary number of people follow the
> thinking that "passwords are insecure, PKCs are secure, therefore anything
> that uses PKCs is magically made secure" even when it's quite obviously not
> secure at all.  This is magical thinking, not any kind of reasoned assessment
> of security.
> 
> Peter.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography




More information about the cryptography mailing list