Hi, can some one please clarify a few things for me regarding the relation of password strength to the algorithm you are using. i.e, lets say I use a program to generate a password. Lets say the first password is 28 chars long, all lowercase, and no special chars in it. Only numbers and letters. The program tells me the bit strength of the password is 141bit. Then, lets say I generate a 64 char password, using upper, lower, numbers, and special chars, and it tells me this password is 385bit.

My question is, when I use these passwords, to do exactly the same thing, which is encrypt lets say for example a volume using AES (rijndael), which is 256bit key, 128 bit block, what relevance does the 141bit/385bit passwords have with the 256bit encryption the algorithm offers? Or, does the password not affect the encryption level? Does the password have more relevance to the hash algorithm instead, and if not, what is the has algorithm for?? or am I just too confused? I have read a bit about encryption trying to understand, but the answer does not seem to pop out anywhere and hit me on the head if you know what i mean.

The only thing I can assume at this point in time, is that the strength of the password is only relevant to some one guessing it, or brute force attacks on it, thus once revealed, granting full access to all my data. If the password was too strong, then brute force attacks may not be successful in a reasonable amount of time thus deterring the attack? So strong passwords are needed from this line of attack (and the hash? algorithm being used is also important to the password security). BUT, the algorithm used is critical not from the password perspective, but from the point of view that one day, someone will work out how to deciphr the code, and then be able to access the data, password or no password, which at point in time, the length and stregth of the password is not relevant, as they can now just deciphr the data through understanding the algorithm?.

And one last question :) Have I got it all wrong lol

Sorry if these questions are maybe not worded clearly.

Cheers Greg

A little taster for you.

Encryption Software

http://www.wilderssecurity.com/showthread.php?t=98048

Encryption Strengths

http://www.wilderssecurity.com/showthread.php?t=109981

Cryptography and Computer Security Resources

http://www.schneier.com/resources.html


StevieO

Thanks StevieO, I had read them, and a few others, but I am still confused if hash algorithms have anything to do with strength of encryption. I am also confused if password strength in bits is directly related to strength of encryption algorithm, or the password strength is only relevant to brute force attacks on the password itself. I use truecrypt, and in the inital setup of an encrypted volume, it lets you choose a hash algorithm. In the manual, it states this for the hash algorithm, which I don't quite understand :) -
'Quote'
Hash Algorithms
In the Volume Creation Wizard, in the password change dialog window, and in the Keyfile
Generator dialog window, you can select a hash algorithm. A user-selected hash algorithm is used
by the TrueCrypt Random Number Generator as a pseudorandom “mixing” function, and by the
header key derivation function (HMAC based on a hash function, as specified in PKCS #5 v2.0) as
a pseudo-random function. When creating a new volume, the Random Number Generator
generates the master key, secondary key (LRW mode), and salt. For more information, please see
the chapter Technical Details, section Random Number Generator and section Header Key
Derivation, Salt, and Iteration Count.




What I also don't understand, is if someone has your file for example, but (this is according to truecrypt) even though they have your file, they can not in anyway tell it was created by truecrypt, nor can they tell what the algorithm being used is, then how would they start to crack it? Would brute force password attack work, as I don't see how they would know how to, if they dont even know what the file is and how it was created. Or is this nieve of me?
So, if they can not dictionary attack it, but they are assuming that it is encrypted with something by something, they surely now must start to work out what algorithm it has been encrypted with. Once they know it is, say AES 256, is it going to be harder for them to decipher the file if it was encrypted using a high strength password, compared to a lower strength one, and all this is assuming that they still don't know it was done by truecrypt, which is what leads me to ask again, what is the relevance of the hash algorithm in truecrypt.

I have very little experience with this sort of thing, and all the info I read never seems to answer it completly.

Cheers Greg

Hi Greg,

I would think that a casual observer would just be confused and not know what to do with it. Someone with a vested interest, or curious with some knowledge as to what it may be, would probably try the most popular decrypt packages first to see it any of them recognised it. If not i presume if they were interested enough etc, they would move down the list of other crypts till they found a match.

After that it's out with the brute force etc tools to try and crack it. As i imagine you already know, this could take anything between seconds and years. A lot of variables come into play such as, the speed of the computer/s, cracking software etc, but most importantly the type of encryption used coupled with a strong passphrase or password.

I'm not an expert by any means either, but i've read that bit count alone isn't everything. So it might be worth your while going straight to the source by writing to Bruce Schiener via his website. If you do and you get a response, it might be nice to post back with it, or the link if he posts it on his blog.


StevieO