Re: RFC-2898 Appendix B
From: Brian Gladman (brg_at_nowhere.at.all)
Date: 03/31/04
- Next message: Jean-Luc Cooke: "Re: Is this secure?"
- Previous message: John Burton: "Re: Is this secure?"
- Next in thread: Kev: "Re: RFC-2898 Appendix B"
- Reply: Kev: "Re: RFC-2898 Appendix B"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Mar 2004 18:27:54 +0100
"Chun" <jang.yeop.chun-no-spam@reflective-technologies.com> wrote in message
news:Y3VydHdpbGw=.2ddd07251102c1c13c75623929798206@1080746050.nulluser.com...
> Brian Gladman wrote:
> > Do you mean RFC 2898?
> Yes.
>
>
> > True. But there are very few security environments in which such a
large
> > keyspace is not negated by many other factors.
>
> Can you help me to understand these other factors? Are some of them fixed
by
> using Safeboot Solo or DCPP or SecureDoc? Are you talking about leaking
> information into the swap or slack space, leaving unencrypted copies
around,
> etc?
Assuming that you have a strong cipher with a 128 bit key, the probability
that someone will choose a key at random and find it is correct is around 1
in 3 * 10^38. Take any _practical_ figure you want for the amount of
computing power to throw at a brute force key search and you will still find
that the probability of finding the key will be vanishingly small.
Right now the practical limit on brute force key search is probably around
80-bits. Hence the safety factor in a 128 bit key is around 2^48 or 1 in
10^14. In consequence unless we have a long term secrecy requirement
(several decades), 128 bit keys are as strong as anyone is likely to need.
Now consider - for a password based secrecy product - what the probabilities
are of _other_ types of weakness. The pasword choice might be poor; it might
be inadvertantly revealed by its owner; it might be written down; it might
be subject to a whole range of technical attacks.
And the machine on which the product runs might, as you hint, have a
significant number of expolitable weaknesses. Moreover there is a high
probability that this machine will be Internet connected and the probabilty
that a determined attacker can penetrate it - however small this is - will
be _very_ large when compared with the probability that an attacker can
defeat a 128-bit key.
Considering passwords with random printable ascii characters gives us less
than 7 bits of entropy per character and hence a password length of 18+
characters to match a 128 bit key - and what proportion of users are going
to use such a long random password? And even if they do, how many are
going to remember it without writing it down?
In practice many people don't use long random passwords but long pass
phrases that have some structure that allows them to be remembered and here
the entropy per character can drop to as low as 1.5 bits per characeter.
Hence a pass phrase might have to be around 85 characters in order to match
the strength of a 128-bit key.
So just how many real pass phrases match these sort of requirements? There
are quite a few studies around on this and those I am aware of all suggest
that the answer is effectively none.
In other words, if you truly need the sort of protection available from
128-bit (and longer) keys, you don't start from passwords.
Brian Gladman
- Next message: Jean-Luc Cooke: "Re: Is this secure?"
- Previous message: John Burton: "Re: Is this secure?"
- Next in thread: Kev: "Re: RFC-2898 Appendix B"
- Reply: Kev: "Re: RFC-2898 Appendix B"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
