Any cryptographic, social or physical lock is always best attacked and defeated at the weakest point.
Failure of security is (almost) always due to the squishy bits found between keyboards and monitors. Attack there.
Example: You generated a 8192 bit private/public key pair, and then applied a password to that private key for its protection. Fine, breaking the generated key would presently require eternity or quantum computing (barring algorithmic flaws). But, the fact that the private key password is your pet dog’s name, just because it’s easy to remember and to type for you … well, as soon as someone gets your ‘password protected’ private key file by whatever means, the squishy bit which decided to use your pet dog’s name has ensured that the locks protected by it will be compromised in short order.
To try to combat this, the logic which is (and should be) applied is one of an onion skin. It’s not a single layer which will protect you, but multiple layers, each (unfortunately) with their own squishy bits. Any one of these layers may be ‘broken’ in sequence, but it is the depth of these layers which will keep you (as best as can be hoped for) secure. A critical fact which many miss, is that each of these layers also needs to be independent and distinct from each other in order to be effective. Chaining the ‘locks’ is all too common, and often once the first key is in the lock, all other tumblers fall easily.
Using the example of Wireless Security:
For a personal home user, they could readily set up difficult to break security with relatively inexpensive equipment - i.e. just a suitable Wireless Router and a (PC based) firewall.
Configure Wireless Router to WPA-PSK appropriately.
Apply MAC filtering to only permit specific devices to connect to the Router.
Disable DHCP and use fixed IP addresses (just because we can).
Connect it to the firewall and create a Blue(Wireless) Network interface.
Only permit the MAC address of the Wireless Router for Blue Access.
Configure the firewall to only permit a VPN tunnel from Blue(Wireless) to Green(Internal).
Generate the corresponding key pair for the VPN access requirements.
Protect the internal machines (Windows/Linux) with suitable network access requirements (Domain/Workgroup/Usernames/Passwords/etc.)
From the onset, it would appear that we have to break, in order, WPA-PSK, then the Routers MAC filtering, then determine the network address range, then the firewall MAC filtering, then the firewall VPN tunnelling, then the target machine security … sounds hard, and it would be.
However, examine the actual ‘lock’ usage case of the (assumed) ‘squishy bit’ user’s laptop … which was left sitting on the desk …
Open the door, smash a window, use social engineering, whatever means for access …
(Domain/Machine) Logon Password = pet dog’s name.
The laptop will then log in, auto-connect to the wireless network (saved configuration), run up the VPN connection, and use the (already supplied or saved) password to connect to the network shares and/or domain, regardless of the WPA-PSK and VPN passwords chosen, or the length of VPN Keys used.
Impossible to crack locks have all tumbled in order. One very weak password, and we’re done.
The locks broken in this case were the physical access lock and the social lock (squishy could choose the domain/machine password), which are often not considered.
Then again, maybe it was already left on the desk, logged on … wouldn’t that have been the ultimate in easy?
If you believe every potential entry point is hostile, then the onion skin method makes it as dificult as possible. Unfortunately, it’s the best you can do, when dealing with squishy bits.
Never leave the locks unattended when unlocked.
Never chain your locks, for any reason.
And never, ever use weak locks (passwords).