<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi All,<div><br></div><div>I know it's not enough but it could be 'one more edge' to improve secured access, it's the <a href="http://www.yubico.com/products/yubikey-hardware/yubikey/">yubikey</a>.</div><div>Or just a usb stick transformed to be used with <a href="http://pamusb.org">pamusb lib</a>.</div><div><br></div><div>Another thing, ECDSA is better than RSA until size is lower than 1024 or 2048 bits I read. (But I would have confirmation/infirmation of it)</div><div>For example, RSA key with more than 4096 could be stronger than ECDSA key with 4096 bits.</div><div><br></div><div>Is it true ?</div><div><br></div><div>Thank you,</div><div>Julien</div><div><br><div><div>On 28 Aug, 2013, at 4:07 AM, George Rosamond <<a href="mailto:george@ceetonetechnology.com">george@ceetonetechnology.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Okan Demirmen:<br><blockquote type="cite">On Tue, Aug 27, 2013 at 9:50 PM, George Rosamond<br><<a href="mailto:george@ceetonetechnology.com">george@ceetonetechnology.com</a>> wrote:<br><blockquote type="cite">Okan Demirmen:<br><blockquote type="cite">On Tue, Aug 27, 2013 at 7:24 PM, George Rosamond<br><<a href="mailto:george@ceetonetechnology.com">george@ceetonetechnology.com</a>> wrote:<br><blockquote type="cite">Okan Demirmen:<br><blockquote type="cite">On Wed, Aug 7, 2013 at 9:58 AM, Isaac (.ike) Levy<br><<a href="mailto:ike@blackskyresearch.net">ike@blackskyresearch.net</a>> wrote:<br><blockquote type="cite"><br>Hi All,<br><br>I'd love to know what people's thoughts are on the state of older<br>RSA/DSA encryption, versus the future of eliptic curve ECDSA:<br><br><a href="http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/">http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/</a><br><br>--<br>A few years ago, a number of us were wary of the brand-spankin'-new ECC<br>crypto for use in SSH public keys. And then months later, there were<br>some ECDSA/ssh implementation problems exposed:<br><br><a href="http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2">http://marc.info/?l=openssh-unix-dev&m=130613765816780&w=2</a><br><br>So, that was 2 years ago, ECDSA implementations are now no longer in<br>their infancy.<br><br>--<br>What are people's thoughts on the practicality of starting to use ECDSA<br>keys?<br><br>Has anyone here seen their use mandated over RSA/DSA in a business setting?<br>Has anyone just jumped into ECDSA bliss, and not looked back?<br></blockquote><br>Not that this might mean much, but I use them.<br><br>As for policies in a business setting; I gather such technical<br>policies are made by people like you, so it's likely up to what folks<br>like you write in said policies :)<br></blockquote><br>So I'm in the process of getting a client to pickup better practices<br>with SSH, and found out even OSX 10.7.5 doesn't support ecdsa.<br><br>AFAIK, Putty doesn't either yet, and I doubt SSH for Windows does either.<br></blockquote><br>So many things there just blew my mind...but OK, I'll mend myself later :)<br><br>I'd simply recommend to them to start using keys, regardless of type -<br>get them in the habit, and whenever these other tools get support for<br>the new fangle stuff, just add to authorized keys and migrate. Just<br>get them in the habit of thinking about keys instead. I'm sure you<br>know all this....<br></blockquote><br>Like most of the sane world, they are using keys.. with passwds. I'm<br>going the next step.<br></blockquote><br>I figured. So here's my issue, and you can call it a double-edged<br>sword if you want - one is storing private keys on client that lives<br>in an extremely hostile environment - that is the vector that needs to<br>be addressed. Sure, remove keys and use passwords instead - then<br>we're back to that debate.<br><br>Double-edged? Maybe, but think about the use-case and attack vectors -<br>that's all I'm saying.<br></blockquote><br>So this would be much easier if we could have IRC synchronized with<br>talk@ ;) (efnet #nycbug)<br><br>Security and its related fields are often relative, and dependent upon<br>adversaries in question. And part of the relative and cumulative issue<br>is with user behavior.<br><br>Don't require a strict security policy on passwds and 12 other things<br>overnight. Once they figure out how to create and remember multiple<br>long passwds, then you build off that, for instance. So you have them<br>comfortably using SSH, then keys. And keys with passwds doesn't seem so<br>initimidating.<br><br>g<br><br>_______________________________________________<br>talk mailing list<br><a href="mailto:talk@lists.nycbug.org">talk@lists.nycbug.org</a><br><a href="http://lists.nycbug.org/mailman/listinfo/talk">http://lists.nycbug.org/mailman/listinfo/talk</a><br></blockquote></div><br></div></body></html>