[wplug] Meeting presentation idea: Public Key Encryption

rl_jeffries at comcast.net rl_jeffries at comcast.net
Wed Jan 11 17:46:07 EST 2006


Vance,
Thanks, I'm aware of this article and it's a good one, too. 
What I'm talking about is having a private key, knowing its decryption passphrase, and authenticating when the private key and public key match... On the enterprise level, via a central auth server(s). This is very easy to do for say, ssh accounts on particular hosts. I haven't seen anything yet that does this from a centralized point.

One benefit of this is, from my understanding, is that the passphrase would be used to check the local private key (which could be on a thumb drive). The Centralized Auth server(s) would hold a list of authorized public keys (keys are by their nature quite secure, and quite hard to fake, so far). Once there's been a match between the public and private keys, (i.e. successful authentication), then the Centralized Auth Server could then determine proper Authorization Levels for the requested authentication.

This would solve the whole weak password thing, which is why I'm interested.
These articles use current, the widely used systems LDAP and Kerberos. These are great systems. But anyone could guess weak passwords anywhere on a network. With what I'm talking about, yes the passwords could be guessed, but the private key would have to be present to be guessed against. The private key could be protected physically like a set of car keys. The Authentication process would only happen once the unlocked (and hopefully un-stolen) private key matches the public key held in a central/managed location.

Thanks,

-Rob
-------------- Original message -------------- 
From: Vance Kochenderfer <vkochend at nyx.net> 

> "Rob Jeffries" wrote: 
> > Will you answer my post? 
> > http://www.wplug.org/pipermail/wplug/2006-January/027494.html 
> 
> I honestly don't understand the subject well enough to know if this 
> is helpful to you, but Linux Journal has been running a series of 
> articles titled "Single Sign-On and the Corporate Directory." 
> 
> Part 1: 
> Part 2: 
> Part 3: 
> 
> Parts 2 and 3 are for subscribers only (at least, for now) but I 
> can bring all three issues to the GUM if need be. 
> 
> Vance Kochenderfer | "Get me out of these ropes and into a 
> vkochend at nyx.net | good belt of Scotch" -Nick Danger 
> _______________________________________________ 
> wplug mailing list 
> wplug at wplug.org 
> http://www.wplug.org/mailman/listinfo/wplug 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20060111/705a42bf/attachment.html


More information about the wplug mailing list