Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)
Eric Rescorla
ekr at rtfm.com
Tue Jan 29 10:38:14 EST 2002
Ben Laurie <ben at algroup.co.uk> writes:
> Eric Rescorla wrote:
> > I don't know exactly what Pegwit does, but most of these schemes
> > are still vulnerable to dictionary attacks by trying arbitrary
> > passphrases and seeing if they generate the correct public key.
> > It's of course slower since the test operation is slower.
>
> If you want to slow down test operations, then iteration is good.
I agree.
> BTW, I don't see why using a passphrase to a key makes you vulnerable to
> a dictionary attack (like, you really are going to have a dictionary of
> all possible 1024 bit keys crossed with all the possible passphrases?
> Sure!).
Unfortunately, "dictionary attack" is used differently by different
people. There are two different kinds of attacks here:
(1) A brute-force attack such as is used by Crack where you
successively try a small subset of the passphrase space in
the expectation that it is the space that people are likely
to populate. (This is what RFC 2828 calls a dictionary attack).
(2) A table-driven attack where you have an enormous table
(say of passphrases to keys) and just do a lookup in the table.
I was referring to the former, which is quite practical against
such a system. The latter probably consumes too much memory to
be practical.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list