Steven M. Bellovin wrote:

>DSA requires a high-quality random number in every signature operation; 
>if the attacker can figure out that number, he or she can recover the 
>signing key.  If you have enough high-quality randomness lying around, 
>you're fine -- and if you don't, your cryptographic keys aren't going to
>be very good, either.
>  
>
Do both ends matter in this generation?
The server has a hardware random number generator and NetBSD, most
clients are Windows with PuTTY (which says it has a way of doing DSA
without relying on entropy). So I'm not quite sure how that is. Might
switch to RSA before it's too late.

>As for 256-bit keys -- well, the mass of a proton is 1.67*10^-27 kg.  The 
>mass of Jupiter is 1.9*10^27 kg; there are thus ~10^54  protons or 
>neutrons in that planet.  But 2^256 is about 10^77; if we run each 
>subatomic computer at 10^10 trials/sec it will take 10^13 seconds.
>That's about 320,000 years.  Maybe we should use the sun instead; it's 
>about 1000 times larger, so we'd only have to wait 320 years for a 
>solution...
>  
>
Point taken.

>But all this is meaningless.  As I and others have said before, this 
>isn't the weak point.  For far less in the way of resources, I could 
>pay for burglars to plant a keystroke and screen logger, listen for 
>TEMPEST emissions, bribe or coerce someone into putting a back door 
>into the next version of NetBSD and/or its IPsec.  (Don't assume it 
>would be found, either; the record on people finding ordinary bugs 
>isn't too good, let alone ones that someone has tried to conceal.)
>
>  
>
Well that's good to know... :-|

>AES is far from the weak point.  I'm much more worried about the rate of security holes 
>in pkgsrc.
>
>  
>
That's why I'm trying to keep the package installs lean on the server
machine, but there's very little I can do about the Windows clients.

My strategy is to separate the wireless attackers from the ones that
could attack from the internet (either distributing trojans or attacking
Apache and OpenSSH directly). This is naive but it's much simpler this
way. The Windows clients are a significant weakness. I am turning off
NetBIOS on all of them to at least make it less obvious to anyone
watching the signals that they're shoddily-done Windows XP installs, and
this data is broadcast (literally) outside of the tunnel at regular
intervals of X "Microsoft Minutes".

One of the Windows rigs will have to do IPSec with 3DES, which isn't
fun, but certainly gets the job done better than WEP. What turned out
the be the major problem with ARC4? Or was it just WEP's implementation?
It seems very lazily done by some engineer with no real-world or even
theoretical cryptography experience at all, and yet became a standard.
And most people don't know any better.

>		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>  
>
It's a pleasure to hear from people who really know what they're talking
about. A huge relief from all of the rubbish on forums and Slashdot.
Thank you very much for your time and extremely reassuring calculations.