@bascule Sure, but you still need access to the private key file, which means root, which means capturing the passphrase is trivial.
-
-
-
@gkmccready not root, it can be anything that can read a file as your current user -
@bascule So anything already running as me? What am I protecting against again? I'm already compromised... -
@gkmccready pretty much! MySQL LOAD DATA LOCAL comes to mind -
@bascule The point is the md5'd passphrase as a symmetric key isn't the weak point. For it to be the weakest link, you're already in trouble -
@gkmccready cryptography is a systems problem, and all parts need to be secure -
@bascule Okay, what do you replace it with that's any better given the threats you're trying to mitigate? -
@gkmccready any decent PBKDF. ssh supports PKCS#8/PBKDF2 out of the box (except, apparently, on OS X Mavericks) - 8 more replies
New conversation -
-
-
-
@bonsaiviking@solardiz lololol :( :( :(
End of conversation
New conversation -
-
-
@bascule the hash isn't storred in the key file and verifying the key isn't exactly cheap but a KDF is on the todo list I believe. -
@alexstapleton a PKCS#8 encrypted key w\ PBKDF2 worked just fine with OpenSSH... until OS X Mavericks o_O -
@bascule oh dear :-(
End of conversation
New conversation -
-
-
@bascule but you can't derive that md5 easily out of the encrypted key, can you ? (or do you mean md5 produces a weaker encryption key ?) -
@kalou000 you can brute force MD5 (i.e. dictionary attack) fairly easily -
@bascule I dont get the point when using the md5 as a symmetric key - easier/harder than "plaintext key" with enough bits ? (if so why ?)
End of conversation
New conversation -
-
-
@bascule I store my private keys in a GPG armored tarball, and they only unpack when I am in a login shell on my laptop. -
-
-
-
-
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.