Re: my KDF vs dictionary attacks
- From: David Eather <eather@xxxxxxxxxx>
- Date: Mon, 24 Mar 2008 00:43:00 +1000
Antony Clements wrote:
"David Eather" <eather@xxxxxxxxxx> wrote in message news:13uauj5pn9sfcdc@xxxxxxxxxxxxxxxxxxxxxTerminology might be catching you here. Using the hash function rather than applying the password as a key directly is a good move. "Stretching" has a meaning of making the password to key function take more time.
ahh ok thanks for the clarifcation on that one, i thought it was just making it fit the key length requirements of the cypher
Not trivial, but certainly possible. This is what password stretching helps with. Because the password to key function now takes time to compute a smaller number of possibilities may be sufficient the reason is that it takes more time to find the key and with a little bit of luck or design that can be pushed into the realms of infeasible for the attacker.
2^512 is a massive number. Having a known s-box is not a problem almost all cypto algorithms have known s-boxes (also linear is a crypto term with a specific meaning. Most s-boxes are reasonably non-linear )
as i said, once the input to the sbox is known, every output is know, i need to redesign it, some help on that front would be appreciated
There is a new cipher called Mugi that sounds similar to what you are aiming for - it may provide some inspiration.
http://en.wikipedia.org/wiki/MUGI
I am assuming you are using the hash function to assemble a stream cipher. The number of iterations does make a difference for the starting point. No one can search the entire 2^512 outputs that are possible, so they will attack by trying to find the password - making the initial password to key transform slow makes the attacker's work more difficult. The wiki example for example adds the equivalent of 16 bits more to the key because of the time it takes.
yes i am creating a stream cipher that processes 4 bytes at a time, each call to the encypher function processes a total of 64 bytes, or one block of key
i modified my code this morning to iterate 65536 times (please note i am also making a correction to the pseudo-code)
key = hash( password + salt )
for i = 1 to 65536 do
f(key & hex(i))
salt = sbox(salt)
key = hash( key + salt )
There are other answers possible, for example I don't understand your question. I can't see any reason to do what I think you are suggesting. I don't know why you are thinking of a 200000 entry dictionary of pass-phrases, why you want one, or why you want to expand it. To compete with the wiki example you would want something like 13,107,200,000 entries.
the wiki entry on cryptographic salts uses 200,000 dictionary entries, i used that value as well because without a given size of dictionary the calculation would not have been possible, it in no way indicates the size of any dictionary in use now or in the future
in fact, if the user makes uses non english characters as well as english characters, the attacker would need to compile a dictionary size of 2^128 to test every possability of a 16 character pass phrase
ok let me rephrase the question, i'll break it up into two parts for ease of reading
part 1)
assume a user key of 128-bits that uses only english words and letters, would the dictionary to attack such a pass phrase be smaller than if the pass phrase input from the user utilized every possible character within the byte table. by byte table i am reffering to characters
null - ÿ.
Yes it would be smaller, but you have this all mucked up.
If you feed the password into a hash function it puts out a fist-full of bytes in the range of 0 -
255. That numeric output is what you should use as the key.
..
part 2)
given that there are 4 possible key sizes that can be utilized by the user, would an attacker need to compile a dictionary for all key sizes irrespective of if the pass phrase only uses english words or not.
The pass phrase and the key are not the same thing. An attacker would use the same dictionary for all key lengths assuming a direct attack on the key was infeasible.
You are just SO LUCKY that JP no longer posts here.
i expect he would have flamed me til the cows came home and then plonked me, much like most people here have done, minus the excessive flaming
JP used the English language with almost absolute precision. If you left any ambiguity in what you wrote then pretty soon you would envy the rats being dissected in high school biology classes. It was often amusing if yo weren't the subject. In maybe 2 years JP caught me dozens of times, I caught him once.
.
- Follow-Ups:
- Re: my KDF vs dictionary attacks
- From: Antony Clements
- Re: my KDF vs dictionary attacks
- References:
- my KDF vs dictionary attacks
- From: Antony Clements
- Re: my KDF vs dictionary attacks
- From: David Eather
- Re: my KDF vs dictionary attacks
- From: Antony Clements
- Re: my KDF vs dictionary attacks
- From: David Eather
- Re: my KDF vs dictionary attacks
- From: Antony Clements
- Re: my KDF vs dictionary attacks
- From: David Eather
- Re: my KDF vs dictionary attacks
- From: Antony Clements
- my KDF vs dictionary attacks
- Prev by Date: Re: my KDF vs dictionary attacks
- Next by Date: Re: my KDF vs dictionary attacks
- Previous by thread: Re: my KDF vs dictionary attacks
- Next by thread: Re: my KDF vs dictionary attacks
- Index(es):
Relevant Pages
|
Loading
