[8230] in cryptography@c2.net mail archive
Re: migration paradigm (was: Is PGP broken?)
daemon@ATHENA.MIT.EDU (Rick Smith at Secure Computing)
Thu Dec 7 13:44:54 2000
Message-Id: <4.3.2.7.0.20001206152508.00acd720@mailhost.sctc.com>
Date: Wed, 06 Dec 2000 15:43:25 -0600
To: Ray Dillinger <bear@sonic.net>,
"Arnold G. Reinhold" <reinhold@world.std.com>
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Cc: cryptography@c2.net, William Allen Simpson <wsimpson@greendragon.com>
In-Reply-To: <Pine.LNX.4.21.0012051429130.11812-100000@bolt.sonic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 05:04 PM 12/5/00, Ray Dillinger wrote:
>If someone wants to enter "sex" as a password, s/he deserves
>what s/he gets (although you may put up an "insecure passphrase"
>warning box for him/her).
The problem is that there's no objective way of knowing when a passphrase
becomes 'insecure' since it depends on the amount of effort an attacker
wants to spend trying to crack it. Going after Bill Gates' passphrase may
yield more value than, say, my 12-year-old son's passphrase.
We need to identify the community we're trying to serve here. Alpha
security geeks will probably do whatever is necessary to provide a high
work factor, but most civilians aren't going to understand or care. When
their weak phrases break down, they'll blame the system design anyway. And
they'll be right -- we need to design for the lowest common denominator of
the user community. I admit it's more fun and more reliable to design a
system for use by smart, well trained people, but that's a relatively small
customer base.
If the threat environment suggests we need a lot of entropy, we need to
store it in a device and go with two factor authentication.
>And if the user keeps *ONE* secure passphrase in his/her head, the
>key it generates can be used to unscramble all of the random keys
>stored in an encrypted file.
So, they have to lug that file around anyway. That's two factor
authentication. Why don't you store it on a smart card or something else
portable? Then encode the file so that the effective keys will depend on a
mixture of the file's contents and the passphrase. Ideally, there should be
no way to decide off-line whether the attacker has hit the pass phrase or not.
>"My name is Ozymandias, king of kings:
>Look upon my works, ye Mighty, and despair!"
So the 'new dictonary' for pass phrase attacks contains all the chestnuts
from all the school lit books in the country. I expect there's a lot of
overlap in their choices. As Arnold pointed out, maybe 1.33 bits is an
overestimation.
Does anyone have a citation as to the source of this 1.33 bits/letter
estimate? In other words, who computed it and how? It's in Stinson's crypto
book, but he didn't identify its source. I remember tripping over a
citation for it in the past 6 months, but can't find it in my notes.
Rick.
smith@securecomputing.com
