[CentOS] an actual hacked machine, in a preserved state

Tue Jan 3 23:12:10 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/3/2012 2:04 PM, Lamar Owen wrote:
> On Tuesday, January 03, 2012 03:24:34 PM Bennett Haselton wrote:
>> That there are 10^21 possible random 12-character alphanumeric passwords
>> -- making it secure against brute-forcing -- is a fact, not an opinion.
>
>> To date, *nobody* on this thread has ever responded when I said that
>> there are 10^21 possible such passwords and as such I don't think that
>> the password can be brute-forced in that way.
> Hmm, methinks you need to rethink the number.  The number of truly random passwords available from a character set with N charaters and of a length L is N^L. (see https://en.wikipedia.org/wiki/Password_strength#Random_passwords )
>
> If L=12, then:
> For:
> The numerals only: 10^12.
> The Uppercase alphabet only: 26^12 (9.5x10^16)
> Uppers and lowers: 52^12 (3.9x10^20)
> Numerals plus uppers and lowers: 62^12 (3.2x10^21)
> Base64: 64^12 (4.7x10^21)

This is the figure I'm using (because I actually use some chars that 
aren't letters or numbers so I rounded up to 64).  You got on the order 
of 10^21, same as me.

> Full ASCII printables, minus space: 94^12 (4.76x10^23)
>
> This of course includes repeating characters.  NIST recommends 80-bit entropy-equivalent passwords for secure systems; 12 characters chosen at random from the full 95 ASCII printable characters doesn't quite make that (at a calculated 78 bits or so).
I'm not sure what their logic is for recommending 80.  But 72 bits 
already means that any attack is so improbable that you'd *literally* 
have to be more worried about the sun going supernova.
> Having said all of that, please see and read http://security.stackexchange.com/questions/3887/is-using-a-public-key-for-logging-in-to-ssh-any-better-than-saving-a-password
>
> The critical thing to remember is that in key auth the authenticating key never leaves the client system, rather an encrypted 'nonce' is sent (the nonce is encrypted by the authenticating key), which only the server, possessing the matching key to the authenticating key, can successfully decrypt.
Actually, the top answer at that link appears to say that the server 
sends the nonce to the client, and only the client can successfully 
decrypt it.  (Is that what you meant?)
> This effectively gives full bit-strength for the whole key; 1024 bits of entropy, if you will, for 1024 bit keys.  This would appear to require a 157 character random password chosen from all 95 ASCII printable characters to match, in terms of bit entropy.
Yes, I've acknowledged that whether you think 1024 bits is more secure 
than 72 bits depends on how literally you mean "more secure".  If the 
odds of an attack working in the next year are 1 in 10^10, you can 
reduce the odds to 1 in 10^20, which in a strict mathematical sense may 
make you more secure, but -- not really.

Furthermore, when you're dealing with probabilities that ridiculously 
small, they're overwhelmed by the probability that an attack will be 
found against the actual algorithm (which I think is your point about 
possible weaknesses in the stream cipher).

However, *then* you have to take into account the fact that, similarly, 
the odds of a given machine being compromised by a man-in-the-middle 
attack combined with cryptanalysis of the stream cipher, is *also* 
overwhelmed by the probability of a break-in via an exploit in the 
software it's running.  I mean, do you think I'm incorrect about that?  
Of the compromised machines on the Internet, what proportion do you 
think were hacked via MITM-and-advanced-crypto, compared to exploits in 
the services?

It was that calculation I was making when I kept insisting that there 
must be something more probable than brute-forcing the login or 
decrypting the session -- and if I hadn't stood my ground about that, 
the discussion never would have gotten around to SELinux, which, if it 
works in the manner described, may actually help.

> Obviously, the authenticating key's protection is paramount, and the passphrase is but one part of that.  But that key never travels over the wire.
>
> In stark constrast, in password auth the password has to leave the system and traverse the connection, even if it's over an encrypted channel (it's hashed on the server end and compared to the server's stored hash, plus salt (always did like a little salt with my hash....!), not the client, right? After all, the client may not possess the algorithm used to generate the hash, but password auth still works.).  This leaves a password vulnerable to a 'man in the middle' attack if a weakness is found in the negotiated stream cipher used in the channel.
>
> Even with a full man-in-the-middle 'sniff' going on, the key pair authentication is as strong as the crypto used to generate the key pairs, which can be quite a bit stronger than the stream cipher.  (56 bit DES, for instance, can be directly brute-forced in 'reasonable' amounts of time now).  Pfft, if I understand the theory correctly (and I always reserve the right to be wrong!), you could, in theory, securely authenticate with keys over a nonencrypted session with a long enough nonce plaintext and the nonce's ciphertext traversing the wire in the clear.  Of course, you encrypt the actual session for other reasons (primarily to prevent connection hijacking, since that defeats the Authorization and Accountability portions of triple-A), but the session encryption and the key auth are two distinct processes.
>
> I've been reading this thread with some amusement; while brute-forcing is an interesting problem it is far from the most important such problem, and simple measures, like not allowing random programs to listen on just any port (or for that matter make random outbound connections to just any port!) is just basic stuff.  Machines are hacked into almost routinely these days without any initial knowledge of the authentication method or credentials, but by security vulnerabilities in the system as set up by the admin.  SELinux and iptables are two of the most useful technologies for helping combat this problem, but they (and any other tools to improve security) must be properly configured to do any good at all.
The problem with such "basic stuff" is that in any field, if there's no 
way to directly test whether something has the desired effect or not, it 
can become part of accepted "common sense" even if it's ineffective.  
(Consider how many doctors recommended stomach-sleeping for babies 
before a more sophisticated study was done, or how many health advocates 
used to recommend margarine over butter...)  And once something has 
become "standard", admins sometimes have a legal incentive to use it -- 
reinforcing its de facto status as "common sense" -- even if deep down 
they realize that it's ineffective.  If your server does get broken into 
and a customer sues you for compromising their data, and they find that 
you used passwords instead of keys for example, they can hire an 
"expert" to say that was a foolish choice that put the customer's data 
at risk.  Even if the odds of that being the true cause of the break-in 
are less than 1 in 10^10, the odds of fooling the judge are considerably 
greater.  (This is true of many fields, where some professionals say 
they feel they have to go along with the conventional wisdom even if 
they think it's wrong, because if something blows up for unrelated 
reasons, they could be sued by someone who thinks the catastrophe 
happened because they went against the herd.)

Case in point: in the *entire history of the Internet*, do you think 
there's been a single attack that worked because squid was allowed to 
listen on a non-standard port, that would have been blocked if squid had 
been forced to listen on a standard port?

What's unique about security advice is that some of it can be rejected 
just on logical grounds, to move the discussion on to something more 
likely to help.  If I hadn't argued the point about passwords vs. keys 
(not to mention about prevention vs. detection), the thread would have 
been over before it got to SELinux and what kinds of attacks it can 
mitigate by controlling where a compromised web server can write and run 
files.

> And there are many many more Best Practices which have been (and continue to be) refined by many years of experience out in the field.  Reality is reality, whether the individual admin likes it or not, sorry.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos