Cringely Gives KnowNow Some Unbelievable Free Press... (fwd)

Arnold G. Reinhold reinhold at world.std.com
Tue Jan 29 17:55:37 EST 2002 

At 7:38 AM -0800 1/29/02, Eric Rescorla wrote:
>Ben Laurie <ben at algroup.co.uk> writes:
> > Eric Rescorla wrote:
>
>> BTW, I don't see why using a passphrase to a key makes you vulnerable to
>> a dictionary attack (like, you really are going to have a dictionary of
>> all possible 1024 bit keys crossed with all the possible passphrases?
>> Sure!).
>Unfortunately, "dictionary attack" is used differently by different
>people. There are two different kinds of attacks here:
>
>(1) A brute-force attack such as is used by Crack where you
>successively try a small subset of the passphrase space in
>the expectation that it is the space that people are likely
>to populate. (This is what RFC 2828 calls a dictionary attack).
>
>(2) A table-driven attack where you have an enormous table
>(say of passphrases to keys) and just do a lookup in the table.
>
>I was referring to the former, which is quite practical against
>such a system. The latter probably consumes too much memory to
>be practical.
>

I think there are significant advantages to a passphrase-derived 
public key system. It allows total portability and the encryption 
hardware can be totally zeroized between uses.  One of the biggest 
threats to modern cryptosystems is their large electronic footprint 
that leaves too much room to hide things.

Passphrase-derived public keys also allow very long term storage of 
keys (e.g. on acid free paper in a vault) without worries about 
deterioration of media or inability to read old formats.

Method 2 is totally impossible in systems that use long salt (48 bits 
or more) or probably unique salt e.g an e-mail address or complete 
phone number.

Here are three very practical techniques to protect against Method 1:

The first is aggressive key stretching that burns up on the order of 
1 second of processing time and utilizes silicon-consuming resources 
like memory and 32-bit multiplies.

The second is for the system itself to suggest strong passphrases. 
Users could ignore the suggestion but nothing can protect a user who 
is not willing to follow recommended precautions. With good key 
stretching even a 5 word diceware passphrase (64-bit entropy) would 
provide strong protection.

The third would be to combine the password and salt with a secret 
stored in the encryption device. This makes the key dependent on the 
device, but requires the attacker to capture both the device and the 
passphrase.


Arnold Reinhold



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list