Re: Packages to remove from frozen

To: Ben Armstrong <synrg@sanctuary.nslug.ns.ca>
Cc: Junichi Uekawa <dancer@netfort.gr.jp>, mstone@debian.org, debian-devel@lists.debian.org
Subject: Re: Packages to remove from frozen
From: Jacob Kuntz <jpk@cape.com>
Date: Thu, 9 Mar 2000 00:02:47 -0500
Message-id: <[🔎] 20000309000247.D4235@megabite.net>
In-reply-to: <[🔎] Pine.LNX.3.96.1000308170211.18060B-100000@eden.nslug.ns.ca>; from synrg@sanctuary.nslug.ns.ca on Wed, Mar 08, 2000 at 05:21:49PM +0000
References: <[🔎] 20000309014738Q.dancer@netfort.gr.jp> <[🔎] Pine.LNX.3.96.1000308170211.18060B-100000@eden.nslug.ns.ca>

isn't the problem here that the server is misrepresenting itself? a one bit
difference may not make a less secure key, but it could quite possibly be an
indication of some deception. i worry that altering the client to ignore
this type of error will only open us up to attack, be it man-in-the-middle
or otherwise.

Ben Armstrong (synrg@sanctuary.nslug.ns.ca) wrote:
> On Thu, 9 Mar 2000, Junichi Uekawa wrote:
> > Isn't it that to decrypt 1024 key takes double the amount of
> > CPU time than decrypting 1023 key, as long as there is no other
> > method than brute-force method of trying every combination.
> > 
> > IMO It is a serious security issue, when the system is half as secure
> > and one is not notified. And the person is trying to use a ssh.
> 
> Where 'n' is a "reasonable" amount of time to crack a key using
> brute-force, doubling 'n' does not equate to doubling the security of your
> system.  At the most, you have caused the cracker the minor annoyance of
> having to wait twice as long for a result. 
> 
> Conversely, if '2n' is an "unreasonable" amount of time to crack a key
> using brute-force, halving it to 'n' does not equate to halving the
> security of your system.
> 
> In other words, I rely on my ssh keys being several orders of magnitude
> more difficult to crack than weaker crypto that is crackable in a
> "reasonable" amount of time by brute force.  Whether the keys are 1023 bit
> or 1024 bit is irrelevant.  Both accomplish this goal.
> 
> Ben
> -- 
>     nSLUG       http://www.nslug.ns.ca      synrg@sanctuary.nslug.ns.ca
>     Debian      http://www.debian.org       synrg@debian.org
> [ pgp key fingerprint = 7F DA 09 4B BA 2C 0D E0  1B B1 31 ED C6 A9 39 4F ]
> [ gpg key fingerprint = 395C F3A4 35D3 D247 1387  2D9E 5A94 F3CA 0B27 13C8 ]
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
(jacob kuntz)                    jpk@cape.com jake@{megabite,underworld}.net
(megabite systems)                       "think free speech, not free beer."

Reply to:

Follow-Ups:
- Re: Packages to remove from frozen
  - From: Paul Slootman <paul@wau.mis.ah.nl>

References:
- Re: Packages to remove from frozen
  - From: Junichi Uekawa <dancer@netfort.gr.jp>
- Re: Packages to remove from frozen
  - From: Ben Armstrong <synrg@sanctuary.nslug.ns.ca>

Prev by Date: Re: magnetic synchronous motor water pumps
Next by Date: Re: Secret Holy Code revealed to Seekers of Truth!
Previous by thread: Re: Packages to remove from frozen
Next by thread: Re: Packages to remove from frozen
Index(es):
- Date
- Thread