PHWinfo - Afficher un message

29/09/2006, 17h44

Maybe I haven't had my coffee this morning BUT,
if you change the keys, then old documents encoded under KEY1 will not
be decodeable under the new KEY2. Your public key needs to remain FIXED.

Chuck wrote:
> docmarkus@directbox.com wrote:
>> Hi, group!
>> This question has been addressed to me by a client and I couldn't find
>> a solution on the web yet:
>>
>> As Sarbanes Oxley requires policies like password to be enforced, how
>> is this handled in ssh/openssh?
>> Is there an option to apply aging to a key passprase.
>> Would it make sense?
>>
>> Sorry to be so unspecific!
>> Regards, Markus
>>
>
> IMHO key passphrase aging doesn't gain you anything. If someone gets a
> copy of your private key, they have it encrypted with whatever
> passphrase it was encrypted with at that time, and they then have all
> the time in the world to try to crack it. Remember it's not the
> passphrase that authenticates you to the server, it's the key that does
> that. You could change your passphrase 100 times, but if they finally
> crack that passphrase on that old copy of the key, it's as good as the
> one you're using. If you are going to age anything it should probably be
> the key pair.
>
> Having said that I have to admit that I change my passphrase regularly
> (but not the keypair). The only reason I change it though is to keep it
> in sync with my network password which is required to change every 90 days.
>
> I'd like to hear what the rest of this group has to say on the matter.

--
try a random act of kindness today -- you just might surprise even
yourself

29/09/2006, 17h44	#5
Jeff B Messages: n/a Hébergeur:	Re: ssh passphrases and sarbanes oxley (SOX) Maybe I haven't had my coffee this morning BUT, if you change the keys, then old documents encoded under KEY1 will not be decodeable under the new KEY2. Your public key needs to remain FIXED. Chuck wrote: > docmarkus@directbox.com wrote: >> Hi, group! >> This question has been addressed to me by a client and I couldn't find >> a solution on the web yet: >> >> As Sarbanes Oxley requires policies like password to be enforced, how >> is this handled in ssh/openssh? >> Is there an option to apply aging to a key passprase. >> Would it make sense? >> >> Sorry to be so unspecific! >> Regards, Markus >> > > IMHO key passphrase aging doesn't gain you anything. If someone gets a > copy of your private key, they have it encrypted with whatever > passphrase it was encrypted with at that time, and they then have all > the time in the world to try to crack it. Remember it's not the > passphrase that authenticates you to the server, it's the key that does > that. You could change your passphrase 100 times, but if they finally > crack that passphrase on that old copy of the key, it's as good as the > one you're using. If you are going to age anything it should probably be > the key pair. > > Having said that I have to admit that I change my passphrase regularly > (but not the keypair). The only reason I change it though is to keep it > in sync with my network password which is required to change every 90 days. > > I'd like to hear what the rest of this group has to say on the matter. -- try a random act of kindness today -- you just might surprise even yourself