> "passwords are insecure, PKCs are secure, therefore anything
> that uses PKCs is magically made secure"
Well as you said, you have to look at what happens in the real world. I would
argue PKCs make things obscure, which buys you a fair amount of security until
some undetermined point in time (past or future) when an attacker gets serious
enough to understand what you are doing.
Von
On Jun 5, 2012, at 8:11 AM, Peter Gutmann wrote:
> Thierry Moreau <thierry.mor...@connotech.com> writes:
>
>> Unless automated SSH sessions are needed (which is a different problem
>> space), the SSH session is directly controlled by a user. Then, the private
>> key is stored encrypted on long term storage (swap space vulnerability
>> remaining, admittedly) and in *plaintext*form*only*momentarily* for SSH
>> handshake computations following a decryption password entered by the user.
>
> ...except that a user study a few years back ("Inocilating SSH Against Address
> Harvesting") found that two thirds of all SSH private keys were stored in
> plaintext on disk. You need to look at what actually happens in practice, not
> what in theory should happen in an ideal world.
>
> In any case though you're completely missing the point of my argument (as did
> the previous poster), which is that a scary number of people follow the
> thinking that "passwords are insecure, PKCs are secure, therefore anything
> that uses PKCs is magically made secure" even when it's quite obviously not
> secure at all. This is magical thinking, not any kind of reasoned assessment
> of security.
>
> Peter.
> _______________________________________________
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
