If someone has the encrypted key data, they can feed that data anywhere they
wish. In that case, they can feed it into processing systems that do not
enforce rate-limiting. Thus, there is no way to do what Dave Paxton suggests
in any case.
-Kyle H
On September 5, 2014 12:51:04 PM PST, flgirl7
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char passw
Very few attackers are going to bother with an online attempt to crack a
password, except when a (broken) system provides an oracle for validating
password attempts. They'll get a copy of a password verifier (such as a salted
hash or something encrypted using the password) and perform an offline
je comprends pas ce qu'il se passe
Le 5 sept. 2014 22:04, "dave paxton" a écrit :
> Perfect. No rudeness here. Just ideas. I do think that relying on a
> password as a base system for the private key will be the Achilles heal of
> any system. Even if you allow for CAPS you will soon have sys
Perfect. No rudeness here. Just ideas. I do think that relying on a
password as a base system for the private key will be the Achilles heal
of any system. Even if you allow for CAPS you will soon have systems
that will try to pass these in a few million times a second. As an
administrator look
I most certainly did NOT hack into anything. I thank you so much for your
response, but deplore your rudeness
Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone
Original message
From: dave paxton
Date:09/05/2014 3:33 PM (GMT-05:00)
To: openssl-users@openssl.org
[Apologies for top-posting; I'm using Outlook, and it's incapable of handling
replies to HTML email properly. I'm sympathetic to its dislike of HTML email,
but not to its inability to do things that BSD Mail managed to accomplish 30
years ago. Anyway...]
First: Passphrases for certificates are
That is easy. Just restrict the number of different passwords per day.
Any account. Thus the old school brute force idea passes out the
window. Most of what you are looking at it a signing issue. Basically
one person does a transaction and the the other person verifies it.
They do the DSA and
There is nothing special about cracking a certificate password versus any other
password. There is a lot of literature out there; a web search will easily
give you enough information to be depressed. I think your biggest faulty
assumption is that your users will pick truly random 10char passwor
How do I unsubscribe from all of this?
Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone
Original message
From: Gregory Sloop
Date:09/05/2014 1:36 PM (GMT-05:00)
To: openssl-users@openssl.org
Cc:
Subject: Certificate pass phrase brute force...
General quest
General question:
I've done a number of searches and can't find a lot about the subject. [I've
searched the list archives too...at least as best I could.]
In several cases, the most obvious being OpenVPN, I use client certificates
generated by openssl, with a pass-phrase [password]. This means
Thanks.
There is no big rush, knowing you're working on it, and this is for after
1.0.2. Perhaps by January/Feb?
--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz
__
Open
12 matches
Mail list logo
