Password vs data entropy

Sandy Harris sandyinchina at gmail.com
Fri Oct 26 12:04:05 EDT 2007


On 10/26/07, Alex Pankratov <ap at poneyhot.org> wrote:

> Or, rephrasing, what should the entropy of the password be
> compared to the entropy of the value being protected (under
> whatever keying/encryption scheme) ?

The entropy of the data is irrelevant. The question is its
value; that affects both the resources an attacker might
use to get it and the cost to you if it is lost.

If there is no attack on the crypto algorithm better than brute
force (a huge "if"!, but there are available algorithms for which
we can at least say no such attack has been published) and
you can estimate attacker's resources, then you can estimate
key size required for safety.

Te EFF's DES cracker (many custom-built chips in parallel)
broke 56-bit DES in a few days. Assume our brute force
enemy can search a 64-bit space (256 times larger) in a
second (a few million times faster). Then searching a
96-bit space takes him 2**32 seconds, well over a century.
For a 128-bit space, multiply that by another 2**32, so
something over 400 billion years.

You really don't care about minor variation here, e.g.if our
estimates are off by a million and he can do it in 400
million years instead.

So, if your crypto is sound,128 bits should theorectically
be enough for any data and any human time scale.

Practice and theory can differ, though, and you cannot
be utterly certain there's not some unpublished attack
that does awful things to the crypto. I'd use 256 bits
and a well-analyzed algorithm.

-- 
Sandy Harris,
Nanjing, China

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list