[Cryptography] Very best practice for RSA key generation

jamesd at echeque.com jamesd at echeque.com
Wed Nov 6 18:31:43 EST 2019


On 2019-11-06 03:58, Jon Callas wrote:

> We have no idea what the best thing to do there would be. The intuition that less typing is more reliable is questionable -- assuming you agree with my assertion that four words is *easier* than fifteen hex digits. It might be that words from a larger list (and thus more unusual) might be more memorable than more commonly used words. Or it might not. We don't know. That's a lot of what James and I were talking about.
> 
> I was adding to that that you might be able to add error correction to the typing task, and make the human's job easier. On a simple case of that, the sorts of error correction we get all the time can fix things. If I mistype the word "weird" (which is weird because it breaks the I-before-E rule of thumb) transposing I and E, the system knows what I meant. (And as a matter of fact, when I intentionally typed that misspelling here, it autocorrected.)

One obvious solution is to have the permitted word list, and have some 
algorithm that picks the nearest word in the word list, and then 
displays the autocorrected passphrase.  (Which the user can retype if 
the "correction" picked the wrong word, as is notoriously apt to happen.)

Which requires a word list, which I don't have, and algorithm to pick 
the nearest word in that word list, which I don't have and do not 
particularly want to write.

I would think that there should be a pile of open source word lists and 
a pile of such open source algorithms around somewhere, but I cannot 
immediately find them, and do not want to re-invent the wheel.


More information about the cryptography mailing list