Private Key Generation from Passwords/phrases

Sat Jan 20 19:41:34 EST 2007

On Fri, Jan 19, 2007 at 12:11:40AM -0800, Bill Stewart wrote:
> One of the roots of the problem is that for many applications,
> i is a well-defined event and P(i) is a fixed value (for i) ,
> but for many other applications,
> i might not be a well-defined event, and/or
> P(i) is really a conditional probability, P(i|other-stuff-you-know),
> and it's hard to tell whether that's
> usefully different from the non-conditional P(i).

Yes; in textbooks, the author is usually kind enough to give a
complete description of the source; in cryptanalysis, you're usually
looking at the output and making inferences about the source, and
thus, the entropy.

> Another entropy example was the Venona decryptions -
> people banging "randomly" on typewriters didn't actually produce
> independent or identically distributed letters,
> so the conditional probabilities didn't actually match
> the assumed ones, so the entropy estimates were wrong,
> and human language plaintext being what it is,
> they really needed the 1-bit-per-bit of key entropy.

Actually, my reading of a book on Venona said they captured some
unused OTP on microfilm, but weren't able to use the non-randomness of
the source to decrypt anything.  Someone here mentioned that the
entropy of the plaintext and the OTP have to merely add to 1 to
prevent decryption; the OTP does not necessarily have to provide it
all.  Shannon's estimates were that English prose carries about 1 bit
per symbol.

There were some decrypts of material; the official explanation is that
they recovered a partial codebook and discovered some OTP re-use (the
KGB encoded then superenciphered it).

BTW, dictionary attacks can probably be effectively resisted by
making the hashes of passwords twice as big, and using a random value
concatenated with the password before hashing, and storing it alongside
the hash (it's like crypt(3) salting, but more so).  If the password is
important to keep from disclosure beyond the needs of this security
system, one could even truncate the output of the hash to half its size,
so that there's multiple preimages; since you doubled the hash size to
begin with, you end up with the same security factor against guessing,
I believe.
-- 
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070120/4f5e555d/attachment.pgp>