SmaugMuds.org - Viewing Topic: Changeover to SHA-256 encryption

» SmaugMuds.org » General » General Discussions » Changeover to SHA-256 encrypt...

Forum Rules | Mark all | Recent Posts

Changeover to SHA-256 encryption

< Newer Topic :: Older Topic >

Pages:<< prev 1, 2 next >>

#21 Jan 4, 2008, 8:23 pm

David Haley
Sorcerer

GroupMembers
Posts903
JoinedJan 29, 2007

Quixadhal said:

It solves the problem (...) Unlike a password, these aren't things that can be tossed about unless you have a photographic memory.

I think we must not have been talking about the same problem. :wink:

I wasn't talking about the strength of passwords vs. strength of key pairs. Besides, a password can be made as secure as a key pair (insofar as sending something to a perhaps untrusted MUD server is secure to begin with) by just having a very complicated password...

But I'm not sure why you say that keys can't be tossed about just as easily as passwords. Here, let me paste one:
(several characters)
Well, you get the idea. Perhaps you are speaking about bad passwords like "hello"?

Quixadhal said:

I suppose, although it would still require the end user to run their client inside another client (which would do the authentication and ssh protocol layer). Not something I'd expect to see often.

Well, I'd just tunnel locally as well and not use any dedicated client. But that's basically running in another client, yes.

#22 Jan 4, 2008, 8:48 pm

Quixadhal
Conjurer

GroupMembers
Posts330
JoinedMar 8, 2005

Possibly. I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick".

For example... here's one of my public keys.

ssh-dss AAAAB3NzaC1kc3MAAACBAMv8Jg081lUXybub4PEZxc5gNFM0G833oK5chIi2BXNEC/J5DrvYwc6Iz6FVVZ3Ijnvc8L+mnAyUJf+PMsz2EblJig4rh+lAcTo6HcAMqA9a/
2+IdZXNWSDTcXdoVCrwPDH+eFme3gCBvPkaN4sUOwWl8sopWk/H6hzE9WfgInjlAAAAFQCRrjfgX5HPhS3Xfrfmpg2oHVqQlwAAAIBm9Erg00kyC5b4WDleXTTzQDKHWmMUXdm/UP
Fgk4XsOGucoOtAiYkD15j/U7Ohpvhl7xj1+60e4vqjarA/RV5PQ4iE2FYF2w09Zxp+NNIjHFOpM4UTjILq5hy6EncVW0zFki1tqqqZ1zvj05k1PwlZz8uTJ0kR1Zj3CMijnq3wbAA
AAIB7baXhglfkWWoeujmQSYPoQLLvkpvJTWK87Xdy+YUAmkjqoOiq25lx9L+fu/QMFRGxy6gVCg3Cq+BdysofcydXeCp4wUTdMrQMBxd+E7jkKtj08Mf/4QmCQvyxNWx6Abe3wnie
XolFddgIhtwk7HjiJf2NzjKE+EG0aq0LD0gvng==

You having that does NOT give you access to my character, but it would allow you to verify that I am me. To log in as me, you'd also need the private key, and to get that you'd need to hack my system or convince me to send you both sides.

I dunno about you, but I would think even people who aren't very security-minded would think twice before going to the effort to export their public AND private keys and then send them via email to someone, as opposed to typing a word or two in chat, or yelling across the room.

#23 Jan 5, 2008, 3:31 am

David Haley
Sorcerer

GroupMembers
Posts903
JoinedJan 29, 2007

Quixadhal said:

I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick".

Well, something somewhere needs to store at least the private key, so that you can send it during authentication. Granted that could happen automatically by the client, but still... And then, once you have it written down (digitally), you could be tempted to leave it around in various places in much the same way you'd leave your password lying around (digitally). But at least you can protect the private key with a passphrase (and then, you're just pushing the problem back to that level).

Quixadhal said:

I dunno about you, but I would think even people who aren't very security-minded would think twice before going to the effort to export their public AND private keys and then send them via email to someone, as opposed to typing a word or two in chat, or yelling across the room.

Yes, I agree.

Pages:<< prev 1, 2 next >>