Hello All, > Date: Sun, 30 Dec 2001 16:41:03 +0100 > From: Edwin Woudt <[EMAIL PROTECTED]> > To: "e-gold Discussion" <[EMAIL PROTECTED]> > Subject: [e-gold-list] Re: e-gold under attack by robots > > >> Uhm... digigold used public key based authentication. Clearly that is > >> superior to any password based mechanism with regard to robot attacks. > > > > Any pointers to published information > > about analysis of this particular case? >
[ MELTED ] > Let's be generous and assume that this robot attack is about a million > times slower. That means that in the same time one can break a 1024 bit > RSA key, one can test about 2^65 passphrases. > > That translates to a passphrase of about 46 characters english text (1.4 > bits of entropy per character) and about 11 characters of truly random > characters (uppercase, lowercase, numbers and symbols, 6 bits of entropy > per character). > > How many people do you know who are willing and capable > of remembering such passphrases? I have rather good opinion about majority of people thus I think that if people do understand that their passphrase is really valuable which most probably is the case for people with metal in their accounts then these people will remember much longer passphrases. > The reality is that people do not want to remember complex > passwords and do not understand the necessity of it. People > use the same password in many places and it is usually a > very simple one as well. These people just do not want to keep their gold, it may be the case with everything. > Dictionary software does not help against > foreign languages or things like 'qwerty'. It may be a good idea to try good old Unix crack utility and feed it with modern FreeBSD system dictionary plus special crack dictionaries for various languages, everything is available on the Net in public FTP archives. > That said, yes, it is possible to use passphrase based authentication that > is as secure as public key based authentication. That advantage of public > key based authentication is that you can be sure that all your users have > enough protection, while with passphrase based authentication 99% of them > will have insecure passphrases. e-Gold is a Right Thing for advanced users, while nobody is able to protect everyone from making harm to themselves in all cases. > > At the same time public key based authentication will > > prevent e-gold from offering the security of account access > > from any secure computer using the simplest secure browser > > with SSL encryption. > > Actually this is something you probably don't want: accessing your e-gold > account from anything but your own computer (like a public terminal) is a > bad idea in the first place. And of course this should also not be the same > computer where you open your e-mails with MS Outlook. If you are in some strange place then you can download small FreeBSD (PicoBSD) or Linux distribution and install it on any 1.44 Mb diskette thus having pretty secure operating system with Lynx browser anywhere, or two diskettes for Lynx with SSL protocol. > > User will need to install some alien software in > > order to compute things needed for public key authentication, > > which will be rather the source for more security concerns > > than benefits in this particular case. > > That's not entirely true: goldmoney already supports client side > certificates, which are supported by the major browsers. If all users will use standard client side certificates then there will be viruses in the wild which will harvest these cetificates and will send them to malicious people, while users will have false feeling of security. Respectfully yours, Dmitry Salnikov, http://dmitry-salnikov.com/index.htm International business catalogue for e-gold users, http://dmitry-salnikov.com/veda.htm Gold Web Ring traffic maker for e-gold sites, http://o.webring.com/hub?ring=gold FreeBSD, Linux, C/C++, Perl, ... Web software development services, English / Russian translations. --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] http://www.e-gold.com/stats.html lets you observe the e-gold system's activity now!
