LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] SSH dictionary attacks.

[ILUG] SSH dictionary attacks.

paul at clubi.ie paul at clubi.ie
Sun Aug 27 17:06:50 IST 2006 

On Sun, 27 Aug 2006, Aine Douglas wrote:

>> particularly can make such hardware expensive. Cheaper, smaller
>> 'smartcards' likely still allow a determined attacker to recover the
>> secret key (e.g. the credit card and "ChipKnip" banking smartcards
>> are vulnerable iirc).
>
> That is the basis for the majority of PKCS11 devices. Values go in,
> computation carried out on card, result comes out.

Reread the text you're replying to :).

> Technologies have moved on since you've learned this one. I'm not 
> sure about the opensource security toolkits, but the commercial 
> ones allow you to create encrypted memory allocations which avoid 
> this, and in those memory allocations, they specifically allocate 
> in physical memory and not virtual memory spaces else the 
> allocation returns an error and you can't do the operation. Check 
> out the Baltimore jcrypto api for more info.

That's nice, but the key is still accessible to the administrator. 
Which in many cases == the user (especially on windows machines). 
Further, even if the user does not have administrative rights, if 
they control the machine, they have administrative privileges if they 
want it.

Some thing to read up on is "Snake oil", google for that term + 
"Schneier".

I can categorically tell you that this software of Baltimore's has 0 
way of knowing whether or not it has been tampered it on common 
systems today. If anyone says it can (and I bet Baltimore *won't*) 
they are misinformed. It might be able to guard against unprivileged 
users, but that's not full tamper-protection.

> possibly hold. Just don't keep your eyes closed to the 
> possibilities forever, as the weaknesses expressed by yourself are 
> so obvious it is only a matter of time before someone addresses the 
> issue.

You mentioned the word "intractible". You point out that for some 
reason there's no open code to solve this problem, despite 
many commercial companies apparently having "solved" this problem.

Ask yourself why, and don't forget to google for:

 	snake oil Schneier

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
All new:
 	Parts not interchangeable with previous model.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell