Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)
Arnold G. Reinhold
reinhold at world.std.com
Tue Jan 29 17:55:37 EST 2002
At 7:38 AM -0800 1/29/02, Eric Rescorla wrote:
>Ben Laurie <ben at algroup.co.uk> writes:
> > Eric Rescorla wrote:
>
>> BTW, I don't see why using a passphrase to a key makes you vulnerable to
>> a dictionary attack (like, you really are going to have a dictionary of
>> all possible 1024 bit keys crossed with all the possible passphrases?
>> Sure!).
>Unfortunately, "dictionary attack" is used differently by different
>people. There are two different kinds of attacks here:
>
>(1) A brute-force attack such as is used by Crack where you
>successively try a small subset of the passphrase space in
>the expectation that it is the space that people are likely
>to populate. (This is what RFC 2828 calls a dictionary attack).
>
>(2) A table-driven attack where you have an enormous table
>(say of passphrases to keys) and just do a lookup in the table.
>
>I was referring to the former, which is quite practical against
>such a system. The latter probably consumes too much memory to
>be practical.
>
I think there are significant advantages to a passphrase-derived
public key system. It allows total portability and the encryption
hardware can be totally zeroized between uses. One of the biggest
threats to modern cryptosystems is their large electronic footprint
that leaves too much room to hide things.
Passphrase-derived public keys also allow very long term storage of
keys (e.g. on acid free paper in a vault) without worries about
deterioration of media or inability to read old formats.
Method 2 is totally impossible in systems that use long salt (48 bits
or more) or probably unique salt e.g an e-mail address or complete
phone number.
Here are three very practical techniques to protect against Method 1:
The first is aggressive key stretching that burns up on the order of
1 second of processing time and utilizes silicon-consuming resources
like memory and 32-bit multiplies.
The second is for the system itself to suggest strong passphrases.
Users could ignore the suggestion but nothing can protect a user who
is not willing to follow recommended precautions. With good key
stretching even a 5 word diceware passphrase (64-bit entropy) would
provide strong protection.
The third would be to combine the password and salt with a secret
stored in the encryption device. This makes the key dependent on the
device, but requires the attacker to capture both the device and the
passphrase.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list