Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I ask this question because, I think, we now can reasonably assume the following

ID: 656269 • Letter: I

Question

I ask this question because, I think, we now can reasonably assume the following:

1. NSA can break VPN and SSH: This is stated many times in the unclassified slides. Also, GCHQ has demonstrated (and boasted) about this capability in the wild.
2. NSA has a database of stolen keys: They can somehow get SSH keys. The slides imply they have a database of stolen keys (I think it says something like, 'check to see if key in DB').
3. It is easier to steal the private/public keys than it is to steal the TOTP from my air-gap'd phone/ipod touch.

If it is true that agencies can easily acquire keys, then would it not make more sense to use password + google TOTP second factor authentication for each SSH login?

It seems google's TOTP second factor authentication does not work out-of-the-box if publickeyauth is used. So, there is a temptation to disable public keys and use only password + second factor.

Taking the latest leaks into account, if I have to choose between public key auth and password + TOTP second auth, which is better in terms of security? (I explicitly cannot use both).

(I don't care about convenience, they are both the same for me).

Thank you.

Explanation / Answer

If the second factor is something that you have, and that cannot be copied, then it can be very secure.

RSA tokens (as was shown by the Lokheed Martin breach) may be physically secure, but if the backend is hacked, then they can be completely compromised. Which is why the mass recall/replace of RSA tokens was carried out.

The answer will depend entirely on your risk/threat model. If you are an NSA target I would imagine it won't matter either way. (In reality it doesn't look like there is any proof they can break SSH - just that they are very good at getting around it)

How well does your infrastructure/processes protect an SSH key? How good are your users at protecting a 2nd factor? Is that 2nd factor an SMS? Or a physical device? Or a phone call?

You can see why this is not an easy question to give a definitive answer to.

Related Questions

I and a friend are having an argument on what is the better technique to use in
Question #645812
I and the team are working a sem long project, where we present ourselves new bu
Question #391086
I and the team are working a sem long project, where we present ourselves new bu
Question #391088
I answered A through E, are they correct? I aslo need help with f, g, and h. A s
Question #708591
I answered A through E, are they correct? I aslo need help with f, g, and h. A s
Question #842200
I answered a and this is the wrong answer. please assist MTH 147 (ONLINE) FALL 2
Question #3275158
I answered a and this is the wrong answer. please assist MTH 147 (ONLINE) FALL 2
Question #3301767
I answered a few of the questions, and would like help on the ones I haven\'t, a
Question #3605708
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I ask help with this c++ problem multiple times, but I got soluations that didn\
Next
I ask this question in relation to the origin of life. I realise it would probab

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.