isn't the problem here that the server is misrepresenting itself? a one bit difference may not make a less secure key, but it could quite possibly be an indication of some deception. i worry that altering the client to ignore this type of error will only open us up to attack, be it man-in-the-middle or otherwise.
Ben Armstrong ([EMAIL PROTECTED]) wrote: > On Thu, 9 Mar 2000, Junichi Uekawa wrote: > > Isn't it that to decrypt 1024 key takes double the amount of > > CPU time than decrypting 1023 key, as long as there is no other > > method than brute-force method of trying every combination. > > > > IMO It is a serious security issue, when the system is half as secure > > and one is not notified. And the person is trying to use a ssh. > > Where 'n' is a "reasonable" amount of time to crack a key using > brute-force, doubling 'n' does not equate to doubling the security of your > system. At the most, you have caused the cracker the minor annoyance of > having to wait twice as long for a result. > > Conversely, if '2n' is an "unreasonable" amount of time to crack a key > using brute-force, halving it to 'n' does not equate to halving the > security of your system. > > In other words, I rely on my ssh keys being several orders of magnitude > more difficult to crack than weaker crypto that is crackable in a > "reasonable" amount of time by brute force. Whether the keys are 1023 bit > or 1024 bit is irrelevant. Both accomplish this goal. > > Ben > -- > nSLUG http://www.nslug.ns.ca [EMAIL PROTECTED] > Debian http://www.debian.org [EMAIL PROTECTED] > [ pgp key fingerprint = 7F DA 09 4B BA 2C 0D E0 1B B1 31 ED C6 A9 39 4F ] > [ gpg key fingerprint = 395C F3A4 35D3 D247 1387 2D9E 5A94 F3CA 0B27 13C8 ] > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- (jacob kuntz) [EMAIL PROTECTED] [EMAIL PROTECTED],underworld}.net (megabite systems) "think free speech, not free beer."
