Re: hiding encryption keys

Crypto_at_S.M.S
Date: 08/14/05


Date: Sun, 14 Aug 2005 11:03:20 +1000

Joseph Ashwood wrote:
> <Crypto@S.M.S> wrote in message news:11frklv17n77a7a@news.supernews.com...
>
>>Joseph Ashwood wrote:
>>
>>
>>><phillipkim1@yahoo.com> wrote in message
>>>news:1123885941.728141.322420@g49g2000cwa.googlegroups.com...
>>>
>>>
>>>>Hello,
>>>>
>>>>I am in discussions with a vendor regarding the storing of encryption
>>>>keys on systems that exchange information through an application. The
>>>>vendor is advising against storing the keys in the registry and
>>>>suggests hiding them somewhere in the filesystem. They suggest that
>>>>the registry is the first place an attacker would look.
>>>>
>>>>The systems are open to the public internet and web traffic. If the
>>>>keys need to be accessible to the system somewhere locally, which would
>>>>be a better place to store the keys and why? I would think the
>>>>registry would be safer than the file system. Thanks in advance.
>>>
>>>
>>>I'll agree with Unruh that the situation is not at it's best.
>>>
>>>IIRC correctly it is easier to protect something in the windows registry
>>>by using the encrypted interfaces, but IIRC these are broken so the extra
>>>security is minimal at best. The typical way of creating a system that
>>>has the potential to be secure is to store Encrypt(User_key,
>>>encryption_keys) (i.e. encryption_keys encrypted with the User_key), then
>>>require that the user enter the User_key, this is a very simplified (e.g.
>>>has holes) version of what PGP does, where the storage occurs actually
>>>becomes generally irrelevant.
>>>
>>>To have something secure requires secure storage of some kind, whether
>>>that is hardware or the human brain is a potentially very complex design
>>>decision.
>>> Joe
>>
>>Didn't you say that people can not remember pass phrases?
>>And now you refer to the human brain as secure storage?
>
>
> What I said was the people make bad storage devices for large quantities of
> entropy. Each individual has a limit to the amount of entropy they can
> memorize, if each individual can memorize say 120-bits, then each passphrase
> they memorize can only have 120/n bits of entropy (on average) where n is
> the number of passphrases. For a single passphrase this would deliver
> 120-bits of entropy, more than enough to be secure, with 3 passphrase it
> would mean a strength of only 40-bits far below what is needed for security.
> Joe
> Joe
>
>

120 bits seems like a very low limit.
How are you defining this "amount of entropy they can memorize"?
It seems we disagree on memorisation skills.



Relevant Pages

  • Re: hiding encryption keys
    ... >>And now you refer to the human brain as secure storage? ... Each individual has a limit to the amount of entropy they can ... > memorize, if each individual can memorize say 120-bits, then each passphrase ... For a single passphrase this would deliver ...
    (sci.crypt)
  • Re: hiding encryption keys
    ... >> To have something secure requires secure storage of some kind, ... Each individual has a limit to the amount of entropy they can ... memorize, if each individual can memorize say 120-bits, then each passphrase ... For a single passphrase this would deliver ...
    (comp.security.misc)
  • Re: hiding encryption keys
    ... >> To have something secure requires secure storage of some kind, ... Each individual has a limit to the amount of entropy they can ... memorize, if each individual can memorize say 120-bits, then each passphrase ... For a single passphrase this would deliver ...
    (sci.crypt)
  • Re: My password tips
    ... capitalization increases the entropy of English text by almost exactly ... than it is to memorize a random character. ... the alphabet and the passphrase as a string of words instead of as a ... string of characters. ...
    (sci.crypt)
  • Re: My password tips
    ... capitalization increases the entropy of English text by almost exactly ... Nemo and I had been contrasting adding characters vs expanding the alphabet, what you are doing is pointing out that it is no harder to memorize a random word than it is to memorize a random character. ... In effect what you are doing is treating the words of the language as the alphabet and the passphrase as a string of words instead of as a string of characters. ...
    (sci.crypt)