Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

Eric Rescorla ekr at rtfm.com
Tue Jan 29 10:38:14 EST 2002


Ben Laurie <ben at algroup.co.uk> writes:
> Eric Rescorla wrote:
> > I don't know exactly what Pegwit does, but most of these schemes
> > are still vulnerable to dictionary attacks by trying arbitrary
> > passphrases and seeing if they generate the correct public key.
> > It's of course slower since the test operation is slower.
> 
> If you want to slow down test operations, then iteration is good.
I agree.

> BTW, I don't see why using a passphrase to a key makes you vulnerable to
> a dictionary attack (like, you really are going to have a dictionary of
> all possible 1024 bit keys crossed with all the possible passphrases?
> Sure!).
Unfortunately, "dictionary attack" is used differently by different
people. There are two different kinds of attacks here:

(1) A brute-force attack such as is used by Crack where you
successively try a small subset of the passphrase space in
the expectation that it is the space that people are likely
to populate. (This is what RFC 2828 calls a dictionary attack).

(2) A table-driven attack where you have an enormous table 
(say of passphrases to keys) and just do a lookup in the table.

I was referring to the former, which is quite practical against
such a system. The latter probably consumes too much memory to
be practical.

-Ekr

-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list