[cryptography] can the German government read PGP and ssh traffic?
von at vonwelch.com
Tue Jun 5 09:07:55 EDT 2012
> "passwords are insecure, PKCs are secure, therefore anything
> that uses PKCs is magically made secure"
Well as you said, you have to look at what happens in the real world. I would argue PKCs make things obscure, which buys you a fair amount of security until some undetermined point in time (past or future) when an attacker gets serious enough to understand what you are doing.
On Jun 5, 2012, at 8:11 AM, Peter Gutmann wrote:
> Thierry Moreau <thierry.moreau at connotech.com> writes:
>> Unless automated SSH sessions are needed (which is a different problem
>> space), the SSH session is directly controlled by a user. Then, the private
>> key is stored encrypted on long term storage (swap space vulnerability
>> remaining, admittedly) and in *plaintext*form*only*momentarily* for SSH
>> handshake computations following a decryption password entered by the user.
> ...except that a user study a few years back ("Inocilating SSH Against Address
> Harvesting") found that two thirds of all SSH private keys were stored in
> plaintext on disk. You need to look at what actually happens in practice, not
> what in theory should happen in an ideal world.
> In any case though you're completely missing the point of my argument (as did
> the previous poster), which is that a scary number of people follow the
> thinking that "passwords are insecure, PKCs are secure, therefore anything
> that uses PKCs is magically made secure" even when it's quite obviously not
> secure at all. This is magical thinking, not any kind of reasoned assessment
> of security.
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography