The good thing about PKI is that it takes longer to break.
The bad thing about PKI is many admins keep many private keys in the same
spot.
So you figure out one password, many doors are open.

--Alex


-----Original Message-----
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of Stephen Harris
Sent: Saturday, December 31, 2011 6:41 AM
To: CentOS mailing list
Subject: Re: [CentOS] what percent of time are there unpatched exploits
against default config?

On Sat, Dec 31, 2011 at 05:43:54AM -0800, Drew wrote:
> The argument I saw against PKI is that's it's no more secure then 
> regular passwords because your certificates are password protected 
> anyways and stored on external media so they can be stolen and used to 
> access the system.

Typical security is based around three things:
  1. Something you know  (eg password)
  2. Something you have  (eg physical token, USB key, ssh private key)
  3. Something you are   (eg fingerprint)

Passwords are "1 factor"; it's just a password.  RSA SecurID tokens are "2
factor"; you need the number on the token and the PIN.  The more factors you
have, typically the stronger the protection.  (Assuming proper
implementation, of course!)

In the same way, public key authentication is 2 factor (in the SSH
implementation, anyway) because you need the private key and the passphrase
to the key.  (historically, passphrases were longer than
8 character passwords but that's not so true on many systems, today)

Why is this more secure?  Because a gazillion people can brute force attack
a box protected by passwords, however only people who have physical access
to the token (#2) can attack my box.  By stealing the token they've reduced
my protection to single factor.  BUT, and this is an important but, they
_have to steal it first_.

SSH keys are weaker than RSA tokens because an SSH key can be duplicated
without the owners knowledge; if you steal my RSA key then I'll know!
But you still need to duplicate it, and that makes it stronger than password
auth.

-- 

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to