SSH Agent keys >4096 bit?

[Peter Lebbing]

On 06/05/12 01:42, Hubert Kario wrote:
> But it's the size of prime used that sets the security level, which
> just happens to share security evaluation with RSA as far as number
> of bits is concerned (IOW: n-bit DH is considered to be as hard to
> attack as n-bit RSA).

Ah, yes, I misunderstood your point.

But the DH protects the session. Cracking DH will get you the session
contents. RSA is only used to authenticate. If it weren't for the
symmetric encryption of the session, you can probably even get a
(plaintext,ciphertext) pair. I've quickly snooped through the RFC's. RSA
is used by the client to sign the "session identifier", which is
determined by DH.

Determining the (plaintext, ciphertext) pair from RSA gets you nothing
in this case. Which is fortunate, because the server you log into also
has the (plaintext, ciphertext) pair after you authenticate.

Actually factoring the semiprime is obviously something completely
different. But we were talking about keeping confidential messages
confidential for decades. There is nothing confidential about an
authentication challenge. Confidentiality is encryption. Authentication
is a form of signing[1]. With signatures, the plaintext is not confidential.

> DH without authentication is useless (trivial to MITM). You need to 
> authenticate the DH params you recieve from the other party before
> you do anything with them.

The /server/ is authenticated during key exchange. The /client/ can also
be authenticated with a plaintext password sent over the encrypted
connection to the server. I don't think the client is authenticated
until after key exchange, whether you use RSA or a password (or another
form of authentication).

Peter.

[1] Signing a challenge, which is still quite different in nature from
signing data.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt