de-peering for security sake

Matthew Petach mpetach at netflight.com
Sun Dec 27 06:06:29 UTC 2015


On Sat, Dec 26, 2015 at 6:37 PM, Owen DeLong <owen at delong.com> wrote:
>> On Dec 26, 2015, at 15:54 , Baldur Norddahl <baldur.norddahl at gmail.com> wrote:
>>
[...]

>> The key approach is still better. Even if the password is 123456 the
>> attacker is not going to get in, unless he somehow stole the key file.
>
> Incorrect… It is possible the attacker could brute-force the key file.
>
> A 1024 bit key is only as good as a ~256 character passphrase in terms of entropy.
>
> If you are brute force or otherwise synthesizing the private key, you do not need
> the passphrase for the on-disk key. As was pointed out elsewhere, the passphrase
> for the key file only matters if you already stole the key file.
>
> In terms of guessing the private key vs. guessing a suitably long pass phrase, the
> difficulty is roughly equivalent.

Intriguing point.   I was thinking about it
from the end-user perspective; but you're
right, from the bits-on-the-wire perspective,
it's all just a stream of 1's and 0's, whether
it came from a private key + passphrase
run through an algorithm or not.

Thanks for the reminder to look at it from
multiple perspectives.  ^_^


Matt



More information about the NANOG mailing list