The Beeb has an informative article on how hard it is to break the 128-bit encryption in common use by a lot of current software. It explains the basics of private-public key pairs without sounding too technical as well as describing other popular methods of breaking security.
Although I’ve played with brute-force tools myself, I’ve found them to be inefficient and time-consuming at best, especially when dealing with key pairs, so they’re right about it being almost impossible. Other methods, such as social engineering, seem to be much more effective.
Another common reason for breaches is poor security policies or not taking the policies seriously. Recently, a certain friend of mine (you know who you are :-)) emailed his private ssh key to his webmail address so he could use it from anywhere. This off course, makes the whole point of private keys moot since nothing is safe if sent unencrypted through email. It sent alarm bells ringing in my head and I made him generate a new key.
2 thoughts on “Breaking codes”
I think that unless your friend skipped the password step in ssh-keygen or chose a very weak passphrase, there isn’t much to worry about. openssh crypts the private key with 3DES.
That’s correct, but breaking a password (and I’m sure his wasn’t that strong, if he had any) is many magnitudes easier than breaking the encryption itself.
Keeping your private key private is one of the most basic things you should do.
Comments are closed.