de-peering for security sake

Owen DeLong owen at
Sun Dec 27 08:38:06 UTC 2015

> On Dec 26, 2015, at 20:35 , Baldur Norddahl <baldur.norddahl at> wrote:
> Owen you misunderstood what two factor is about. It is not practical to
> brute force the key file. Nor is it practical to brute force a good
> passphrase or password. Both have sufficient strength to withstand attack.

This simply isn’t as true as it’s assumed to be, but let’s move on for the moment.

> But two factor is about having two things that needs to be broken. The key
> can be stolen, but the thief needs the password. The password can be
> stolen, but the thief needs the key. He needs both.

If the key file is stolen, you have one search space, the pass phrase to unlock the key.

If the key file is not stolen, you have one search space: the key.

> SSH password + key file is accepted as two factor by PCI DSS auditors, so
> yes it is in fact two factor.

PCI DSS auditors think that NAT is a form of security, so don’t get me started on the
fact that the PCI DSS auditors haven’t a clue about actual security. PCI DSS is more
about security theater than security. In some ways, they’re even less competent than
the TSA.

> But it is weak two factor because the key file is too easily stolen. NOT
> because the key file can be brute forced. Nor because hypothetically
> someone could memorize the content of the key file.

Either way, you only have one search space. If you don’t have the key file, then the
key is your search space. If you have the key file, then the passphrase may be an
easier search space.

> It is also weak because the key file can be duplicated. Note it does not
> stop being two factor because of this, but stronger hardware based two
> factor systems usually come with the property that it is very hard to
> duplicate the key. Other examples of a two factor system were the key is
> easy to duplicate is credit card with magnetic strip + pin. Example where
> it is hard to duplicate is credit card with chip + pin. Both are examples
> of where the password (the pin) is actually very weak, but it is still two
> factor.

To actually be two-factor, it needs to be two of something you have, something
you know, something you are. The strongest combination is something you know
and something you are (e.g. Retina, hand scan, etc. combined with PIN/Password).

SSH Key protected by pass phrase is just two things you know. Admittedly, one
of them is a thing you know because you stored it on disk instead of memorizing
it, but it’s not really something you have because as you pointed out, it can be
easily duplicated and also it can be transported without requiring physical

Something you have, in order to truly be a second factor, has to be a unique
item that is:
	1.	In your possession
	2.	Cannot be (easily) duplicated without your knowledge
		(The greater the degree of difficulty for duplication, the better this is,
		but a Schlage key, for example, is sufficiently difficult to qualify in most
	3.	Theft can be reliably detected by the fact it is no longer in your possession.

An RSA or DSA key does not meet those criteria because it can be copied without
your knowledge and without removing the key from your possession.

> Btw, you should not be using RSA anymore and a 1024 bit RSA key does not in
> fact have a strength equal to 1024 bits entropy. It was considered equal to
> about 128 bit of entropy, but is believed to be weaker now. I am using ECC
> ecdsa-sha2-nistp521 which is equal to about 256 bits. Although some people
> with tin foil hats believe we should stay away from NIST altogether. Unless
> someone breaks the crypto, you are NOT going to brute force that key.

I think you’re the first person to bring up 1024 RSA keys here. I only said private
keys. A very large fraction of SSH users are still using 1024 bit DSA keys in the
real world. I am still using 2048 bit DSA keys. ECC would be better.

I also didn’t say that a 1024 bit key had 1024 bits of entropy. I said that a 1024
bit key and a 256-character pass phrase have about the same entropy. There
are about 128 bits of entropy in a good 256 character pass phrase. There are
about 128 bits of entropy in a 1024 bit DSA key.

> Yes I get your argument, you are saying break the key and you won't need
> the password, but a) you can't actually break the key before the universe
> ends, b) it is still two factor, just a extremely tiny in the academic

If you have enough cheap GPUs, you can actually break a 1024 bit key
well before the universe ends. In fact, you can probably break it before
the end of 2016 if you’re willing to put about $30k into the process.

> sense little bit weaker two factor. All crypto based two factor systems

No, it’s not a second factor. See above… It’s two things you know and not
something you have and something you know as you have claimed.

Calling a private key something you have instead of something you know
is the same kind of slight of hand that Wall Street uses when they take
a bunch of bad mortgages and package them up together and call it an
AAA rated bond. (and we all saw how well that worked out). If you don’t
know what I’m talking about, “The Big Short” is worth a watch.

> suffers from the possibility that one could break the crypto and possibly
> escape the need to know one or even both factors. But Owen - come one -

Nope… Something you have isn’t subject to breaking the crypto, because
it’s strength doesn’t come from crypto, it’s strength comes from unique
physical properties that are difficult to duplicate and can be measured.

Something you are similarly isn’t subject to breaking the crypto, because it’s
strength comes from the unique physical properties of an individual person
which can be measured and are difficult to duplicate.

Yes, both can be broken and there are weaker and stronger choices. For
example, a hand scanner is weaker than a retina scanner is weaker than
a DNA scanner. Many of the finger print scanners are weaker than the
hand scanners, but good ones are almost as strong as a retina scanner.

> this silly argument pales and is so infinite insignificant to the real
> problem with the ssh key two factor system, which is that the key is easily
> stolen and duplicated and there is no way to check the quality of the
> password (users might even change the key password to NO password).

Right… That was, in fact, what I originally said at the end of my initial
message, but you chose to ignore that and focus on this rathole.

Since misinformation and lack of pedantry is fatal to good cryptographic
security (or good security in general), I felt compelled to correct you and
I still stand by what I have said.

Likely, as usual, neither of us is going to convince the other one.

I will say, however, that my understanding of these issues comes from
mentors that work with real security professionals and I would never
cite something as weak as PCI-DSS as an authority.

Most of my mentors in this area work primarily on contracts with three
letter government agencies that may or may not be known to exist publicly.


> Regards,
> Baldur
> On 27 December 2015 at 03:37, Owen DeLong <owen at> wrote:
>>> On Dec 26, 2015, at 15:54 , Baldur Norddahl <baldur.norddahl at>
>> wrote:
>>> On 27 December 2015 at 00:11, Owen DeLong <owen at> wrote:
>>>> No… You are missing the point. Guessing a private key is roughly
>>>> equivalent to guessing a really long
>>>> pass phrase. There is no way that the server side can enforce password
>>>> protection of the private key
>>>> on the client side, so if you are assuming that public-key
>> authentication
>>>> is two-factor, then you are
>>>> failing miserably.
>>> The key approach is still better. Even if the password is 123456 the
>>> attacker is not going to get in, unless he somehow stole the key file.
>> Incorrect… It is possible the attacker could brute-force the key file.
>> A 1024 bit key is only as good as a ~256 character passphrase in terms of
>> entropy.
>> If you are brute force or otherwise synthesizing the private key, you do
>> not need
>> the passphrase for the on-disk key. As was pointed out elsewhere, the
>> passphrase
>> for the key file only matters if you already stole the key file.
>> In terms of guessing the private key vs. guessing a suitably long pass
>> phrase, the
>> difficulty is roughly equivalent.
>>> Technically it is two-factor even if the user made one of the factors
>>> really easy. And that might save the day if you have users that chooses
>> bad
>>> passwords.
>> Technically it’s not two-factor and pretending it is is dangerous.
>>> The system is weak in that it is too easy to steal the key file. It is
>> not
>>> unlikely that a user with sloppy passwords is also sloppy with his key
>> file.
>> Right… No matter what you do it is virtually impossible to protect against
>> sloppy
>> users.
>> This has been true for decades even before the internet with teenagers
>> given house
>> keys.
>>> Too bad ssh does not generally support a challenge-response protocol to a
>>> write only hardware key device combined with server side passwords that
>> can
>>> be checked against a blacklist.
>> There’s no reason that it can’t if you use PAM.
>> Owen

More information about the NANOG mailing list