From: "Devon H. O'Dell " <dodell@offmyserver.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] secstore security
Date: Mon, 11 Apr 2005 12:01:13 +0200 [thread overview]
Message-ID: <20050411100113.GC56515@smp500.sitetronics.com> (raw)
In-Reply-To: <93546c9b78bebd4ddb075ec510d3f640@quintile.net>
[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]
On Mon, Apr 11, 2005 at 10:38:40AM +0100, Steve Simon wrote:
> I want to backup my secstore on other machines, and
> he 9grid nodes seem the obvious place. I trust
> the 9grid adminstrators as far as I can (I have never met them),
> but in the general case, how secure is the secstore from
> a dictionary attack by bootes?
>
> I have read the text on secstore in /sys/doc/auth.ps but I
> don't feel qualified to make a decision.
>
> Any security experts out there?
>
> -Steve
First: I don't claim to be a security expert :)
The algorithms used are similar enough to those used in other
systems (that have been used for a good while and are currently
considered secure) for me to feel comfortable with it. Keys are
stored with Rijndael+CBC, so birthday attacks aren't going to be
likely either.
I think that you'd need to be more worried about transmitting
keys over plain text protocols. You will never be protected
against dictionary attacks by one who has access to the keys in
their encrypted form, but the PAK protocol used in secstore
``prevents dictionary attacks on the password by passive
wiretappers or active intermediaries'' (i.e. active or passive
third parties).
If you choose strong passwords (passphrases are good these
days), dictionary attacks should be infeasible. So unless
someone finds a way to access the memory with the decrypted
passphrases (or your password is `moo'), you should feel safe
with the methodology used by factotum / secstore.
--Devon
[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]
next prev parent reply other threads:[~2005-04-11 10:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-11 9:38 Steve Simon
2005-04-11 10:01 ` Devon H. O'Dell [this message]
2005-04-11 10:23 ` Charles Forsyth
2005-04-11 11:47 ` Charles Forsyth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050411100113.GC56515@smp500.sitetronics.com \
--to=dodell@offmyserver.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).