comments wanted on gbde

Jason Holt jason at
Tue Mar 8 13:11:29 EST 2005

On Sun, 6 Mar 2005, David Wagner wrote:

> However, I also believe it is possible -- and, perhaps, all too easy --
> to use GBDE in a way that will not provide adequate security.  My biggest
> fear is that safe usage is just hard enough that many users will end up
> being insecure.  GBDE uses a passphrase to encrypt the disk.  If you can
> guess the passphrase, you can decrypt the disk.  Now in theory, all we
> have to do is tell users to pick a passphrase with at least 80 bits of
> entropy.  However, in practice, this is a pipe dream.  As we know, users
> often pick passphrases with very little entropy.  Practices vary widely,
> but for many users, an estimate in the range of 10-40 bits is probably
> reasonable.  Consequently, dictionary attacks are a very serious threat.
> GBDE does not take any steps to defend against dictionary attacks.
> In GBDE, a passphrase with b bits of entropy can be broken with 2^b AES
> trial decryptions.  This means that people who are using passphrases
> with only 10-40 bits of entropy may be screwed -- their data will not
> be secure against any serious attack.  40-bit security is a very weak
> level of protection.

What would you consider an ideal key management solution for disk encryption,
then?  It seems like any passphrase-based system will be
dictionary-attackable, even with strengthening techniques like iteration,
which provide a linear increase in difficulty to both normal use an attack.  
Is that all you were asking for, or are you thinking of token (or network)  
based solutions which can handle better keys than the average human?  (Or, are
there other more exotic techniques which make passphrases harder to break?)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list