password-cracking by journalists...
Steven M. Bellovin
smb at research.att.com
Sat Jan 19 19:38:02 EST 2002
In message <Pine.SOL.4.30.0201200101340.17593-100000 at kruuna.Helsinki.FI>, Sampo
Syreeni writes:
>On Thu, 17 Jan 2002, Steven M. Bellovin wrote:
>
>>For one thing, in Hebrew (and, I think, Arabic) vowels are not normally
>>written.
>
>If something, this would lead me to believe there is less redundancy in
>what *is* written, and so less possibility for a dictionary attack.
>
>>Also, there are a few Hebrew letters which have different forms when
>>they're the final letter in a word -- my understanding is that there are
>>more Arabic letters that have a different final form, and that some have
>>up to four forms: one initial, two middle, and one final.
>
>At least Unicode codes these as the same codepoint, and treats the
>different forms as glyph variants. Normalizing for these before the attack
>shouldn't be a big deal.
>
>>Finally, Hebrew (and, as someone else mentioned, Arabic) verbs have a
>>three-letter root form; many nouns are derived from this root.
>
>This would facilitate the attack, especially if the root form is all that
>is written -- it would lead us expect shorter passwords and a densely
>populated search space, with less possibility for easy variations like
>punctuation.
>
Right -- there are factors pushing in both directions, and I don't know
how it balances.
Your mention of Unicode, though, brings up another point: the encoding
that's used can matter, too. If UCS-2 or UCS-4 (16 and 31-bit
encodings) are used, I believe that there are many constant bits per
character. Even UTF-8 would have that effect.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list