Does Public Key Authentication offer additional security over SSH/SFTP - SSH

This is a discussion on Does Public Key Authentication offer additional security over SSH/SFTP - SSH ; Hi guys, I've got a fairly newbie (but hopefully quick) question. So I've set up a public/private key pair on my Unix boxes for authentication for my SSH/SFTP connections so I don't have to provide my password. Does setting this ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Does Public Key Authentication offer additional security over SSH/SFTP

  1. Does Public Key Authentication offer additional security over SSH/SFTP

    Hi guys,

    I've got a fairly newbie (but hopefully quick) question.
    So I've set up a public/private key pair on my Unix boxes for
    authentication for my SSH/SFTP connections so I don't have to provide
    my password.

    Does setting this up provide an extra layer of security (ie additional
    encryption) ?

    Cheers
    Capt. Wing


  2. Re: Does Public Key Authentication offer additional security over SSH/SFTP

    On 2006-12-12, Marty W wrote:
    > I've got a fairly newbie (but hopefully quick) question.
    > So I've set up a public/private key pair on my Unix boxes for
    > authentication for my SSH/SFTP connections so I don't have to provide
    > my password.
    >
    > Does setting this up provide an extra layer of security


    Yes, in that the private key is much harder for an attacker to guess
    compared to a password.

    > (ie additional encryption) ?


    Of the data being sent? No. There's an extra cryptographic step in the
    authentication where the client proves to the server that it has access
    to the relevant private key but after that the encrpytion of the data
    is equivalent regardless of the authentication method (all other things
    being equal).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: Does Public Key Authentication offer additional security overSSH/SFTP

    Marty W wrote:
    > Hi guys,
    >
    > I've got a fairly newbie (but hopefully quick) question.
    > So I've set up a public/private key pair on my Unix boxes for
    > authentication for my SSH/SFTP connections so I don't have to provide
    > my password.
    >
    > Does setting this up provide an extra layer of security (ie additional
    > encryption) ?
    >
    > Cheers
    > Capt. Wing
    >


    The security is only as good as the strength of the passphrase on the
    private key. If you've left it unencrypted (no passphrase), you actually
    made it much easier for an attacker to get into your servers. They just
    need to steal a copy of the key and they will never need anything else.
    With a weak password, it's subject to dictionary attacks, but they would
    still need to get a copy of the key file. The bottom line is protect the
    private key file itself by making it as inaccessible as possible to
    anyone but you, and then have it encrypted with a strong passphrase.

  4. Re: Does Public Key Authentication offer additional security over SSH/SFTP

    Chuck writes:

    >Marty W wrote:
    >> Hi guys,
    >>
    >> I've got a fairly newbie (but hopefully quick) question.
    >> So I've set up a public/private key pair on my Unix boxes for
    >> authentication for my SSH/SFTP connections so I don't have to provide
    >> my password.
    >>
    >> Does setting this up provide an extra layer of security (ie additional
    >> encryption) ?


    No. It is a way of authenticating. Ie, computer B has computer A's public
    key, then when computer A tries to log on, computer B can check to make
    sure that A"s private key was used.


    >>
    >> Cheers
    >> Capt. Wing
    >>


    >The security is only as good as the strength of the passphrase on the
    >private key. If you've left it unencrypted (no passphrase), you actually


    Authentication, not security.

    > made it much easier for an attacker to get into your servers. They just



    >need to steal a copy of the key and they will never need anything else.
    >With a weak password, it's subject to dictionary attacks, but they would
    >still need to get a copy of the key file. The bottom line is protect the
    >private key file itself by making it as inaccessible as possible to
    >anyone but you, and then have it encrypted with a strong passphrase.


    And even better, never log onto any other computer-- then you do not need
    any authentication.

    If they can get a copy of your key file, they eitehr either root on your
    system ( and thus can read your password anyway when you type it in) or are
    logged in as you ( in which case they can read your password when you type
    it in).


  5. Re: Does Public Key Authentication offer additional security over SSH/SFTP

    "Marty W" writes:
    > I've got a fairly newbie (but hopefully quick) question.
    > So I've set up a public/private key pair on my Unix boxes for
    > authentication for my SSH/SFTP connections so I don't have to provide
    > my password.
    >
    > Does setting this up provide an extra layer of security (ie additional
    > encryption) ?


    the shared secret (pins/password) is that the authentication
    information (on the server end) is the same as the originating
    information. as a result there is frequent requirements that a unique
    pin/password is required for every different security domain. over the
    decades, this has progressed so that people possibly now are burdened
    with scores of passwords.

    to top it off, the passwords are supposedly selected to be hard to guess
    .... but that also tends to make them hard to remember. as a result,
    it is scores of impossible to remember passwords ... leading to frequent
    result that all the passwords are written down on piece of paper ... which
    becomes a vulnerability in itself. misc. postings mentioning shared
    secret (pins, password, etc) issued.
    http://www.garlic.com/~lynn/subintegrity.html#secrets

    old 1APR password corporate directive from 1984:
    http://www.garlic.com/~lynn/2001d.html#51 A beautiful morning in AFM
    http://www.garlic.com/~lynn/2001d.html#52 A beautiful morning in AFM

    so public key has the characteristic that the information used to
    originate the authentication is different from the information used to
    perform the authentication ... aka learning the public key doesn't
    imply that it is possible to fraudulent impersonate (like the case for
    shared secret passwords). this eliminates the motivation for unique
    key for ever different security domain ... and theoritically allows
    for the same public key to be registered for all authentications.

    old public key operation proposal from 1981
    http://www.garlic.com/~lynn/2006w.html#12 more secure communication over the network
    http://www.garlic.com/~lynn/2006w.html#15 more secure communication over the network
    http://www.garlic.com/~lynn/2006w.html#18 more secure communication over the network

    misc. recent password news item URLs:

    Successful Alternatives to Password Authentication?
    http://ask.slashdot.org/askslashdot/.../2142218.shtml
    Chinese malware takes aim at passwords
    http://www.theinquirer.net/default.aspx?article=35909
    The End of Password Post-Its
    http://www.darkreading.com/document.asp?doc_id=111200
    RSA Security research shows volume of business passwords overwhelming
    end users and hindering IT security efforts
    http://www.ameinfo.com/103400.html
    Warning over use of repeat passwords
    http://www.hackinthebox.org/modules....icle&sid=21901
    Warning over use of repeat passwords
    http://www.theage.com.au/news/securi...080812161.html
    UN warns on password 'explosion'
    http://news.bbc.co.uk/2/hi/technology/6199372.stm
    Warning over use of repeat passwords
    http://www.linuxsecurity.com/content/view/126036/169/
    Second Word Zero-day Exploit Steals Passwords
    http://www.techweb.com/showArticle.j...leID=196603174
    Most play poorly at the password game
    http://seattlepi.nwsource.com/busine...sword11ww.html


  6. Re: Does Public Key Authentication offer additional security overSSH/SFTP

    Unruh wrote:

    > If they can get a copy of your key file, they eitehr either root on your
    > system ( and thus can read your password anyway when you type it in) or are
    > logged in as you ( in which case they can read your password when you type
    > it in).
    >


    Huh?

    If your public key is passphrase protected it doesn't matter if the
    attacker has root or not. If they don't know the passphrase, they can't
    decrypt the key.

  7. Re: Does Public Key Authentication offer additional security overSSH/SFTP

    You really need to be more concise.

  8. Re: Does Public Key Authentication offer additional security over SSH/SFTP

    >>>>> "Chuck" == Chuck writes:

    Chuck> Unruh wrote:
    >> If they can get a copy of your key file, they eitehr either root on
    >> your system ( and thus can read your password anyway when you type
    >> it in) or are logged in as you ( in which case they can read your
    >> password when you type it in).
    >>


    Chuck> Huh?

    Chuck> If your public key is passphrase protected it doesn't matter if
    Chuck> the attacker has root or not. If they don't know the
    Chuck> passphrase, they can't decrypt the key.

    His point is that root can contrive to monitor your keystrokes, hence
    discover your passphrase as you type it.

    --
    Richard Silverman
    res@qoxp.net


  9. Re: Does Public Key Authentication offer additional security over SSH/SFTP

    >>>>> "Chuck" == Chuck writes:

    Chuck> You really need to be more concise.

    You obviously haven't met the Anne/Lynn collective before.

    --
    Richard Silverman
    res@qoxp.net


  10. Re: Does Public Key Authentication offer additional security overSSH/SFTP

    Richard E. Silverman wrote:
    >>>>>> "Chuck" == Chuck writes:

    >
    > Chuck> You really need to be more concise.
    >
    > You obviously haven't met the Anne/Lynn collective before.
    >
    > --
    > Richard Silverman
    > res@qoxp.net
    >


    I have, but I lost my killfile when I got my new laptop.

  11. Re: Does Public Key Authentication offer additional security over SSH/SFTP

    On 2006-12-15, Richard E. Silverman wrote:
    >>>>>> "Chuck" == Chuck writes:

    > Chuck> If your public key is passphrase protected it doesn't matter if


    s/public key/private key/

    > Chuck> the attacker has root or not. If they don't know the
    > Chuck> passphrase, they can't decrypt the key.
    >
    > His point is that root can contrive to monitor your keystrokes, hence
    > discover your passphrase as you type it.


    Root can also trivally copy the private key and perform an offline
    dictionary attack to determine the passphrase. This probably won't
    take long for simple passphrases.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  12. Re: Does Public Key Authentication offer additional security over SSH/SFTP


    Darren Tucker writes:
    > Root can also trivally copy the private key and perform an offline
    > dictionary attack to determine the passphrase. This probably won't
    > take long for simple passphrases.


    arcot
    http://www.arcot.com/

    was demo'ing private key file cracks at rsa '98 ... avg. time was
    something like 30 seconds. they showed lots of vulnerabilities that
    attackers (not just root) could obtain/harvest files off of PCs. they
    also demo'ed a countermeasure that it made it significantly more
    difficult for an attacker doing brute force attack on private key
    file.

    at the time, some were expecting that chip-based containers (for
    private keys) were just momentarily around the corner ... and the
    private key file scenarios were supposedly just emulating real chip
    containers (pending the availability of the real thing).

  13. Re: Does Public Key Authentication offer additional security overSSH/SFTP

    Darren Tucker wrote:
    > On 2006-12-15, Richard E. Silverman wrote:
    >>>>>>> "Chuck" == Chuck writes:

    >> Chuck> If your public key is passphrase protected it doesn't matter if

    >
    > s/public key/private key/
    >
    >> Chuck> the attacker has root or not. If they don't know the
    >> Chuck> passphrase, they can't decrypt the key.
    >>
    >> His point is that root can contrive to monitor your keystrokes, hence
    >> discover your passphrase as you type it.

    >
    > Root can also trivally copy the private key and perform an offline
    > dictionary attack to determine the passphrase. This probably won't
    > take long for simple passphrases.
    >


    That's why I said you need to use a good strong passphrase in message
    (link below).

    http://groups.google.com/group/comp....7a013ee2368065

+ Reply to Thread