Re: my KDF vs dictionary attacks

Antony Clements wrote:
"Bryan Olson" <fakeaddress@xxxxxxxxxxx> wrote in message news:3EtFj.35442$J41.5817@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
David Eather wrote:
To anyone else: Seriously I want some feedback, was what I posted to difficult / confused / obscure etc. to be useful? Yes my email address if you prefer.
Giving a specific answer to a gibbering question is tricky business.
When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what
he meant? I sure didn't.

some encryption systems will give a larger output if the input is larger than a certain criteria, for example, twofish will encrypt a 5 character string into a 32 character output string, and it will do this as long as the input string is no more than 20 characters, it's not rocket science to figure out that different size inputs to a given algorithm will give different sized outputs

You have this all wrong. Twofish is a block cipher. All block ciphers work on a group of bytes at one time eg Twofish is 128-bit or 16 bytes. DES is a 64-bit block cipher - 8 bytes at a time. If the input to the cipher is less than that of the block size the encryption will be problematic as all the other bytes loaded in are random or undefined.

There are two exceptions to this. One is if the block cipher is used in counter mode, thereby turning it into a stream cipher and the other is if you use the more complex idea of cipher text stealing.

If the dictionary is just input phrases, then key stretching increases
the work factor, but salting does not. Salts are not secret.

according to what i have read salting does increase the work factor, i cite the wiki article on cryptographic salts

according to that article an attacker must compute a hash for every word (or in my case a pass phrase) and every possible salt value because the attacker does not know the salt (regardless of if the authorized user knows it or not), this leads to a very large work load if there is a sufficiently large amount of possible pass phrases.

You must work under the assumption that the salt is known.

I have even taken the salting out of the users hands by generating a random value which is encrypted with twofish and appended to the end of the ciphertext for the program to use in decryption... this is why the output string of the encrypted salt needs to be a set size

now the attacker not only needs to find the user input pass phrase and the salt to create the base hash of the _first block_ of plaintext, but also the key for the twofish decryption

it may very well be easier to try every possible passphrase with every possible salt to find the key which is used internally by the program

but even then with the base hash for any given _block key_ (that is a key that is used for one block and one block only) known to the attacker, you still need to go through 2^512 possible permutations to find the actual key that is used for that block

now add a second block of plaintext, the salt is the last output of the sbox so that's not a whole lot to worry about, but you still need to rehash the useable key from the previous block 65536 times appending the hash value of the iteration number each time, and then going through the 2^512 permutation sequences to find the correct useable key for the _second block_



ATERNATELY

one could even more easily just create a string that is the length of the known ciphertext and iterate through each possability

assume that the plaintext is 128 bytes long, that's 2 blocks worth as each block is 64 bytes, the key is as long as the plaintext (in this case 128 bytes) so that for the attacker to brute force the key must iterate through 2^512 * n to find the key for the ciphertext where n is the number of blocks of ciphertext



.

Relevant Pages

  • Re: Newbie IV Question.
    ... Tom posts ... using ECB to encrypt the IV as the first 16 byte block into the ... cipher text, then using CRF mode for the remaining text? ... Only transmit the salt and nothing else. ...
    (sci.crypt)
  • Re: how to encrypt with a string as input,but not a key object
    ... > same input string? ... > wish to encrypt these files during transfering,and they want to ... Create a Cipher from the SecretKey and PBEParameterSpec. ...
    (comp.lang.java)
  • Re: my KDF vs dictionary attacks
    ... When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what ... some encryption systems will give a larger output if the input is larger than a certain criteria, for example, twofish will encrypt a 5 character string into a 32 character output string, ...
    (sci.crypt)
  • md5 and crypt relations???
    ... when we use crypt in linux for a string, ... encrypt a string in windows for which i used MDDRIVER.C including ... string encrypted by md5 in windows or in linux would have salt ...
    (comp.os.linux.security)
  • Re: an encrypt arithmetic
    ... i need a easiest way to encrypt a char have 250A and decrypt it. ... This example uses the CIPHER MI which is documented at ... CIPHER MI to generate a secure random number that you can use as a salt ...
    (comp.sys.ibm.as400.misc)