[Cryptography] how to encrypt for the very long term?
Michael Kjörling
michael at kjorling.se
Mon Jul 30 15:42:25 EDT 2018
On 30 Jul 2018 14:18 +0200, from calestyo at scientia.net (Christoph Anton Mitterer):
> things like forgetting password goes beyond the scope of the question.
>
>
> May main point was that e.g. gpg supports only a limited set of
> algorithms (e.g. AES, CAMELLIA, TWOFISH) ... and especially it seems
> there is no modern key derivation function available, even with the
> maximum number of s2k iteration it goes pretty fast.
Well, if that's the biggest issue you're seeing with GPG, then it's
easy to use passphrases that provide sufficient randomness to
withstand brute-force attacks. That the S2K is fast doesn't matter if
the S provides as much randomness as the ultimate K and thus attacking
the S confers no advantage to the attacker over attacking the K even
if the S2K was instantaneous, _and_ attacking the K is impractical.
It only takes a 20 words long properly generated Diceword passphrase
to provide in excess of 256 bits worth of randomness (20 * log2(6^5) =
258). Add a few more words because your dice probably aren't perfectly
balanced, and 22-24 Diceware words should be plenty enough to match
the theoretical security of a 256-bit key. With EFF's dictionary, that
can be compressed into 60-72 alphabetic characters; themselves, if
chosen at random (obviously not the case for Diceware, as 6^5 < 26^3
by about half), providing between log2(26^60) ~ 282 and log2(26^72) ~
338 bits of randomness. With the standard English Diceware dictionary,
the passphrase ends up being around 104-125 characters; or you could
use the dice values directly for 100-120 digits' worth of passphrase
yielding 258-310 bits' worth of randomness.
At that point, I really don't see how you'd need to worry about
attacks on the cryptographic primitives. Some form of rubber hose
cryptanalysis becomes a very much more viable option well before that
point...
One big upside of using an established solution like GPG (or more
generally OpenPGP) is that it's unlikely to go away in a hurry.
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“The most dangerous thought that you can have as a creative person
is to think you know what you’re doing.” (Bret Victor)
More information about the cryptography
mailing list