[Cryptography] Anti-clipper team re-assembles

Michael Kjörling michael at kjorling.se
Wed Jul 8 09:42:16 EDT 2015

On 8 Jul 2015 02:09 +0000, from rsalz at akamai.com (Salz, Rich):
>> Passwords of insufficient entropy should be a larger concern.
> It doesn't matter how good your password is, if HTTPS isn't really secure.

Or stated otherwise, if the crypto itself (either the algorithm or the
implementation) is _broken by design_, then it doesn't matter how
great a password you are using: you can _never_ get good security with
such a system, because the weakest link becomes uncontrollable.

In which case, if anything, we are making higher entropy passwords
basically pointless, at least against certain classes of attackers;
right along with introducing vulnerabilities that are potentially
exploitable by _other_ adversaries as well. The math doesn't care
whether it's Government A or Criminal Organization B or School Kid C
or Intended Recipient D trying to gain access.

**I agree that real-world password entropy in many cases is at best
dismal. But that's no excuse for making other (unrelated) things
_worse_.** If anything, it should be an argument for making the most
that we reasonably can out of what little entropy we do have.

Additionally, password entropy is, to a large degree, controllable by
the end user; algorithm design and sometimes even selection is not. I
can _choose_ to use a long, high-entropy passphrase kept only in my
head and accept the disadvantages that comes with that, knowing that
the disadvantages to any attacker trying to gain access to my data
through at least some means are even greater. I can use a long-running
PBKDF to stretch the available entropy further. With backdoored
crypto, I can't say any of that, because at least certain attackers
won't need to even touch my passphrase.

If there's one thing I think history has taught us that is relevant
here, then it is that weaknesses designed to allow only a certain
class of attackers do, sooner or later, allow the same attack for
other classes of attackers as well. No need to invoke Kerckhoffs,
even; Moore and Murphy are more familiar to most people, and serve to
illustrate the point well enough in many cases. Or go ahead and watch
the original _War Games_ movie, or consider Logjam.

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list