On Mon, Apr 11, 2005 at 10:38:40AM +0100, Steve Simon wrote: > I want to backup my secstore on other machines, and > he 9grid nodes seem the obvious place. I trust > the 9grid adminstrators as far as I can (I have never met them), > but in the general case, how secure is the secstore from > a dictionary attack by bootes? > > I have read the text on secstore in /sys/doc/auth.ps but I > don't feel qualified to make a decision. > > Any security experts out there? > > -Steve
First: I don't claim to be a security expert :) The algorithms used are similar enough to those used in other systems (that have been used for a good while and are currently considered secure) for me to feel comfortable with it. Keys are stored with Rijndael+CBC, so birthday attacks aren't going to be likely either. I think that you'd need to be more worried about transmitting keys over plain text protocols. You will never be protected against dictionary attacks by one who has access to the keys in their encrypted form, but the PAK protocol used in secstore ``prevents dictionary attacks on the password by passive wiretappers or active intermediaries'' (i.e. active or passive third parties). If you choose strong passwords (passphrases are good these days), dictionary attacks should be infeasible. So unless someone finds a way to access the memory with the decrypted passphrases (or your password is `moo'), you should feel safe with the methodology used by factotum / secstore. --Devon
pgpa2udY0taWK.pgp
Description: PGP signature
