On Dec 26, 2015, at 20:35 , Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
Owen you misunderstood what two factor is about. It is not practical to brute force the key file. Nor is it practical to brute force a good passphrase or password. Both have sufficient strength to withstand attack.
This simply isn’t as true as it’s assumed to be, but let’s move on for the moment.
But two factor is about having two things that needs to be broken. The key can be stolen, but the thief needs the password. The password can be stolen, but the thief needs the key. He needs both.
If the key file is stolen, you have one search space, the pass phrase to unlock the key. If the key file is not stolen, you have one search space: the key.
SSH password + key file is accepted as two factor by PCI DSS auditors, so yes it is in fact two factor.
PCI DSS auditors think that NAT is a form of security, so don’t get me started on the fact that the PCI DSS auditors haven’t a clue about actual security. PCI DSS is more about security theater than security. In some ways, they’re even less competent than the TSA.
But it is weak two factor because the key file is too easily stolen. NOT because the key file can be brute forced. Nor because hypothetically someone could memorize the content of the key file.
Either way, you only have one search space. If you don’t have the key file, then the key is your search space. If you have the key file, then the passphrase may be an easier search space.
It is also weak because the key file can be duplicated. Note it does not stop being two factor because of this, but stronger hardware based two factor systems usually come with the property that it is very hard to duplicate the key. Other examples of a two factor system were the key is easy to duplicate is credit card with magnetic strip + pin. Example where it is hard to duplicate is credit card with chip + pin. Both are examples of where the password (the pin) is actually very weak, but it is still two factor.
To actually be two-factor, it needs to be two of something you have, something you know, something you are. The strongest combination is something you know and something you are (e.g. Retina, hand scan, etc. combined with PIN/Password). SSH Key protected by pass phrase is just two things you know. Admittedly, one of them is a thing you know because you stored it on disk instead of memorizing it, but it’s not really something you have because as you pointed out, it can be easily duplicated and also it can be transported without requiring physical movement. Something you have, in order to truly be a second factor, has to be a unique item that is: 1. In your possession 2. Cannot be (easily) duplicated without your knowledge (The greater the degree of difficulty for duplication, the better this is, but a Schlage key, for example, is sufficiently difficult to qualify in most cases). 3. Theft can be reliably detected by the fact it is no longer in your possession. An RSA or DSA key does not meet those criteria because it can be copied without your knowledge and without removing the key from your possession.
Btw, you should not be using RSA anymore and a 1024 bit RSA key does not in fact have a strength equal to 1024 bits entropy. It was considered equal to about 128 bit of entropy, but is believed to be weaker now. I am using ECC ecdsa-sha2-nistp521 which is equal to about 256 bits. Although some people with tin foil hats believe we should stay away from NIST altogether. Unless someone breaks the crypto, you are NOT going to brute force that key.
I think you’re the first person to bring up 1024 RSA keys here. I only said private keys. A very large fraction of SSH users are still using 1024 bit DSA keys in the real world. I am still using 2048 bit DSA keys. ECC would be better. I also didn’t say that a 1024 bit key had 1024 bits of entropy. I said that a 1024 bit key and a 256-character pass phrase have about the same entropy. There are about 128 bits of entropy in a good 256 character pass phrase. There are about 128 bits of entropy in a 1024 bit DSA key.
Yes I get your argument, you are saying break the key and you won't need the password, but a) you can't actually break the key before the universe ends, b) it is still two factor, just a extremely tiny in the academic
If you have enough cheap GPUs, you can actually break a 1024 bit key well before the universe ends. In fact, you can probably break it before the end of 2016 if you’re willing to put about $30k into the process.
sense little bit weaker two factor. All crypto based two factor systems
No, it’s not a second factor. See above… It’s two things you know and not something you have and something you know as you have claimed. Calling a private key something you have instead of something you know is the same kind of slight of hand that Wall Street uses when they take a bunch of bad mortgages and package them up together and call it an AAA rated bond. (and we all saw how well that worked out). If you don’t know what I’m talking about, “The Big Short” is worth a watch.
suffers from the possibility that one could break the crypto and possibly escape the need to know one or even both factors. But Owen - come one -
Nope… Something you have isn’t subject to breaking the crypto, because it’s strength doesn’t come from crypto, it’s strength comes from unique physical properties that are difficult to duplicate and can be measured. Something you are similarly isn’t subject to breaking the crypto, because it’s strength comes from the unique physical properties of an individual person which can be measured and are difficult to duplicate. Yes, both can be broken and there are weaker and stronger choices. For example, a hand scanner is weaker than a retina scanner is weaker than a DNA scanner. Many of the finger print scanners are weaker than the hand scanners, but good ones are almost as strong as a retina scanner.
this silly argument pales and is so infinite insignificant to the real problem with the ssh key two factor system, which is that the key is easily stolen and duplicated and there is no way to check the quality of the password (users might even change the key password to NO password).
Right… That was, in fact, what I originally said at the end of my initial message, but you chose to ignore that and focus on this rathole. Since misinformation and lack of pedantry is fatal to good cryptographic security (or good security in general), I felt compelled to correct you and I still stand by what I have said. Likely, as usual, neither of us is going to convince the other one. I will say, however, that my understanding of these issues comes from mentors that work with real security professionals and I would never cite something as weak as PCI-DSS as an authority. Most of my mentors in this area work primarily on contracts with three letter government agencies that may or may not be known to exist publicly. Owen
Regards,
Baldur
On 27 December 2015 at 03:37, Owen DeLong <owen@delong.com> wrote:
On Dec 26, 2015, at 15:54 , Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 27 December 2015 at 00:11, Owen DeLong <owen@delong.com> wrote:
No… You are missing the point. Guessing a private key is roughly equivalent to guessing a really long pass phrase. There is no way that the server side can enforce password protection of the private key on the client side, so if you are assuming that public-key authentication is two-factor, then you are failing miserably.
The key approach is still better. Even if the password is 123456 the attacker is not going to get in, unless he somehow stole the key file.
Incorrect… It is possible the attacker could brute-force the key file.
A 1024 bit key is only as good as a ~256 character passphrase in terms of entropy.
If you are brute force or otherwise synthesizing the private key, you do not need the passphrase for the on-disk key. As was pointed out elsewhere, the passphrase for the key file only matters if you already stole the key file.
In terms of guessing the private key vs. guessing a suitably long pass phrase, the difficulty is roughly equivalent.
Technically it is two-factor even if the user made one of the factors really easy. And that might save the day if you have users that chooses bad passwords.
Technically it’s not two-factor and pretending it is is dangerous.
The system is weak in that it is too easy to steal the key file. It is not unlikely that a user with sloppy passwords is also sloppy with his key file.
Right… No matter what you do it is virtually impossible to protect against sloppy users.
This has been true for decades even before the internet with teenagers given house keys.
Too bad ssh does not generally support a challenge-response protocol to a write only hardware key device combined with server side passwords that can be checked against a blacklist.
There’s no reason that it can’t if you use PAM.
Owen