Password strength

Yup,

FANTASTIC this is the way forward. If you can do this it would go down well with all and do you wonders

hope it fairs well

sp

 

Schneier means crunching an English key down into a cipher key. That's all he meant. 196 chars is not needed if the password is strong.

An example of a weakness was an early crypto program (not TDS, but this other company sells AV software too) which didn't utilize the full set of characters. Thus even the strongest key was weak.

The key bits may or may not be equal to block length in a symmetric block cipher. E.g. DES is 56 bit key and 64 bit block. An initial portion of the algo derives 64 bits from the 56 bits and uses that.

Multiple crypts can increase strength, but it depends on the algo (and implementation). For instance triple DES is simply DES 3 times, with 2 or 3 different keys. DES is thought to not be a group. That means encrypting once with Key 1 and then again with Key2 will result in cryptotext which cannot be cracked by a hypothetical Key 3.

Certainly using two random dictionary words as an online password is surprisingly safe. E.g. 1/100,000 * 1/100,000 which can't be broken via network cracking.

I agree with the implementation issue being as important as algo strength.

 

Actually Bruce Schneier does mean using 196 characters for a 256-bit key. He even (in some of his writings) offers samples of how this might be done without killing your memory cells. Keep in mind, this is to utilize the full strength of 256-bit.

I personally heard Schneier discuss this at a CSI meeting in 2001 and that's really what he meant.

There seems to be some doubt about this and the only suggestion I have is to actually read his material or write him and ask him. I am sure he would be more than happy to explain in a nutshell and confirm this.
schneier@counterpane.com

John
Luv2BSecure

.

 

If you take a look at a 256bit key (32 bytes), there are 2^256 different keys. So if you tell me you have a 256bit key I know it's a number between the range of 0 to 2^256.

You shouldn't get confused between passwords and keys. Passwords are TYPICALLY used to generate keys. In some implementations, the password is even the KEY itself. So lets take the key generation part out of it and just say you use the password as the key. Lets say your password is 8 bytes, but the keysize you are using is 32bytes (256bits). So if you didn't generate a key from your passphrase and instead used your passphrase as your 256bit key, it would look something like this :-

MYPASSWD000000000000000000000000

(taking into account that each 0 is one BYTE)

Now this key is nowhere near using the full range of what is possible, look at all those zeroes. Effectively your key is now only 64bits (considering your password is completely random and uses each full byte for each character)

But what if I just generated 32 random bytes for my password/key? Then you would be using ALL of the security that a 256bit key offers. So considering the your password is random and you use the password as your key then you only need 32 characters to fully utilize a 256bit key. If you have trouble understanding this, I suggest you re-read it then possibly do some other research if it's still unclear.

Now, maybe there is some mis-understanding going on here. If you are trying to suggest that when you use cryptographic hashes to generate KEYS from passwords, that the password should be 192 characters for better security, then maybe you are right to an extent. Evidence suggesting certain hashes are "weak" given a smaller message length than 192 would be helpful however. As far as I am aware, Bruce Schneier has never said this.

 

Hi Jason,

I promise you - I know the difference. In extreme simplicity: passwords or passphrases are used to derive keys for cryptographic use.

Talking about all of this has made me think again, that when it gets right down to it the fact is, the use of a password (or passphrase), in most cases and especially for high security use, has become obsolete! However, if one chooses not to use pseudo-randomly generated keys, it is not easy to remember and is most inconvenient, but that is what people seem to want to do!

random+salt. Personal entropy. Information theory - this is all important but unaddressed. The use of MD2, MD4, and MD5? I still don't understand that. Speaking of:
www.arnnet.com.au/index.php/id;1503863220;fp;16;fpid;0

I have so many questions as to what you know about cryptography at the mathematical level. What is your crypto training? No offense intended. Maybe it's just a different way of looking at things - or we are missing something here. Maybe miscommunicating? That wouldn't be a surprise in my current state of health. (Sometimes things are mush.) One thing I know in crypto: 2+2 doesn't always equal 4.

By the way, concerning cryptographic keys, passwords, etc. and trying to safely secure the info in the brain --- here is something else I think you might find very interesting:
http://www.schneier.com/paper-personal-entropy.pdf

best,

John
Luv2BSecure

.

 

John is correct about entropy of passphrases.

"If the phrase is long enough, the resulting key will be random. Exactly what 'long enough' means is open to interpretation. Information theory tells us that standard English has about 1.3 bits of information per character. For a 64-bit key, a pass phrase of about 49 characters, or 10 normal English words, should be sufficient. As a rule of thumb, figure that you need five words for each 4 bytes of key. That's a conservative assumption, since it doesn't take into account case, spacing, and punctuation."

Applied Cryptography (Bruce Schneier)

Extrapolating, it's 196 chars for 256 bit key. IF it's an obscure English phrase, preferably not from any book in print. Entropy of a pass phrase is a social construction though.

 

Yes that is the point I was trying to get across, if you have low entropy you will of course need more characters for your passphrase. The idea that everyones passphrase needs to be 196 characters is what I originally said was misleading. And as I have been saying, if you have 32 characters with full entropy (ie randomness), then you have maximized the security for a 256bit key. You will mostly only get this sort of entropy if you generated 32 random bytes for your key, not from a standard password choosen by the user.

That quote is only true if entropy is as xmp mentioned, at around 1.3bits per character. This wasn't mentioned in the original quote which is why I added my comments. If you re-read my posts you will see I also say roughly 20 (considering most passwords can only use 7 out of each 8 bits) characters is needed to fully satisfy a 128bit key when you consider it has full entropy, which John also said he wasn't going to agree with.

 

Well, I'm not too sure I followed everything said above. But what I do know after reading this is that I'm feeling pretty confident that I made the right decision to buy Cryptosuite, and that the folks that wrote Cryptosuite know what they are doing (understand cryptography).

 

Dazed and Confused:

Be thankful that you made your purchase from people willing to talk to their customers. Dialogue from the developers - with open discussion - is rare in crypto programs. Whatever else I might think, I believe that Jason and the crew at DSC deserve the highest of praise for that. They're good people.

John
Luv2BSecure

 

Indulge me for a moment. The following is page 348 and 349 from Practical Cryptography by Bruce Schneier and Niels Ferguson. To fit, I had to cut the images a bit, but it's all here. Read these passages carefully. By the way, this book is not the same as Applied Cryptography. This book was written for the lay person, so it should be easy to understand. The information below is copyright 2003 by Niels Ferguson and Bruce Schneier......
http://img.photobucket.com/albums/v333/thejuggler/348.jpg
http://img.photobucket.com/albums/v333/thejuggler/349a.jpg
http://img.photobucket.com/albums/v333/thejuggler/349b.jpg

This is very self explanatory. It easily explains the approximate amount of entropy per english character. It easily explains what I have been trying to say in this thread. I have decided I am not communicating well, so thought this would be the best way.

Pay careful attention to the fifth paragraph. In other writings, speeches, interviews, etc. he explains the need for the use of long passphrases. He doesn't always think people will do it (as it can be complex) and considering this was written for the lay person dismisses what SHOULD be done as unacceptable for the lay person. But for high security and to maximize security with 128-bit (as in this example) here it is! This is with my optimistic 2 bits per English character. At 1.5 - it is longer.

For 256 bits of entropy ------this is how you get the 192 characters I referenced in the earlier post. BTW, the next page discusses using a limited-entropy passphrase along with a random number stored alongside the data that was encrypted with the password. This is called "salt"....a good way to beef up an otherwise weak passphrase. Also, page 340 explains why the passphrase for Alice, in the example from the book above) is not truly good because of the dictionary words and how she can do better by using the first letters of a string of long words from a memorized passage.

If you would like further information - or verification - as to why the long passphrase is needed to make the most of the 128/256 ciphers, please write Bruce. He (usually) is good about responding.
schneier@counterpane.com

All the best,

John
Luv2BSecure

.

 

Hi again John,

What you are saying is correct, I am not saying it isn't. The difference between something being misleading and something being incorrect is sometimes very great.

Now for the normal everyday average user who wants to use encryption and isn't good at remembering very obscure and random passwords, then maybe using 10-15 english words which form 196 characters is the best thing for them if they want to ensure their 256bit key has enough entropy. I'm not saying this is wrong, and possibly even most people would fall into this category.

However for another semi-typical person there is another step they may take, if you generated 32 random bytes for your key and spent some time memorizing it, then you have just as much security as someone who memorizes the 196 character phrase. That is all I am trying to get across, the amount of entropy in a password IS variable, not all passwords are the same. Of course one might be easier to remember than the other, but I didn't think we were discussing that.

Thanks for providing those images, I am sure a lot of people will appreciate them.

 

Yes I am not sure why so many other encryption software authors shy away from public support. It might be something to do with a lot of people just using 3rd party encryption libraries without really knowing much about cryptography. I am glad I am not the only one who has noticed this, shows you know a lot about the industry John.

 

Just wanted to post a link to an FAQ about passphrases.
IT's a bit old and is related to use of old PGP software but
most of it can be universally applied.

http://www.stack.nl/~galactus/remailers/passphrase-faq.html
The passphrase FAQ, version 1.04
Randall T. Williams

 

This is how I generate good passwords (steps 2) to 4) of this are easil;y converted to a Perl or Python script -- write your own script and test carefully that it's giving random results):

1) Pick a password strength in bits: for current use, I'd suggest a minimum of at least 64 bits, for the paranoid or for very long term use 128 bits (long term here being long enough for quantum computers to go from lab research to hacker's desktops). Round the number of bits up to a multiple of 6, and divide by 6 -- this gives the number of characters long that your password will need to be (i.e. something in the range from 11 to 22 characters)

2) Using a source of cryptographic-strength entropy (i.e NOT rand() or anything derived from it -- on Linux /dev/random words fine, or roll a lot of dice, or take a LOT of gibberish input from the keyboard, making a very conservative assumption like 0.25 bits of entropy per character of gibberish) generate a chunk of data containing more bits of entropy than the number of bits of password strength you picked (and ideally at least 128 bits of entropy, or 160 if you plan to use SHA-1 in step 3)).

3) Hash the entropy-containing data using a cryptographic strength hashing algorithm like MD5 or SHA-1 to compress the entropy into 128 or 160 bits (while MD5 does have some known issues for message integrity uses, none of them should affect this use, which is just compressing entropy).

4) Base-64 encode the resulting hash (converting it to a string of upper and lower case numbers and digits, plus possibly a '/' or a '+'), and take the first however many characters you decided you need for you password length (be sure to just take the first N characters, don't pick out N characters you like from the entire hash, the latter is a weaker password). This password is extremely secure (but so far for most people very hard to memorize).

5) Staring at your new password, spend some time devising a meaningful (or at least as meaningful as you can come up with) and memorable phrase whose first letters are the letters of your password (for numbers, either put numbers in the phrase or use soundalikes or lookalikes like '1' -> 'I' or 'wan', '8' -> 'ate', or any similar trick you can think of). You can either just memorize the MiXeD-cAsE nature of the password (e.g. by thinking of the UPPER-CASE words as being LOUDER or EMPHASIZED), or you can use proper names in the phrase for upper case letters and other words for lower case letters. [Personally I find making the phrase as obscene as possible helps me remember it, but that may be a quirk of my particular twisted brain.] The phrase isn't your password (though I suppose if you wanted to (and can touchtype), you could use the phrase as passphrase as a very long password, it should have even more entropy than the entropy of the set of letters you derived it from), it's just a mnemonic device to help you remember the random password you generated in steps 1) through 4).

[If you have a lot of trouble generating a phrase for the password you got, you could generate another password and try that one, or do something like swapping all the letters between upper and lower case, but bear in mind that you just gave up about one bit of password strength by doing so -- doing it twice more will lose you another bit, four more times another, and so on, so soon you may need to add another character to the password length to make up for it.]

6) Memorize the phrase. Practice (on a secure system) typing the password from the memorized phrase until you are sure you have it memorized and can do it easily. This is likely to take multiple repetitions. During this process you may think of or discover ways to improve the phrase's merorability or how much sense it makes -- this will help in the long run but may require some extra memorization work at this point.

7) Actually change you password on the system this password is for to the new password. If the system you are entering the password into complains that it isn't secure enough because it has only letters and numbers and no symbols in it, laugh hollowly and convert one of the numbers or letters into a symbol in some memorable way such as 'S' -> '$'. Rememorise you passphrase with this extra twist, or change the passphrase to fit this and rememorize.

Now that you have gone to all that trouble, if at all possible, never write your password or the corresponding phrase down, never enter it into any sort of insecure computer system, don't use the same password for any other sytems (at least not unless you have total faith in their security), don't tell your password or the corresponding phrase to anyone, and don't let anyone watch over your shoulder (or listen to you mumbling the phrase) while you type it (though if someone does watch over your shoulder without you noticing, they may have trouble memorizing the string of random letters and digits you are typing).

 

Obviously steps 2) through 4) and 6) need to be done on a secure and trusted system, and erasing the results from memory or disk as much as is practicable is probably a goos idea too.

 

For generating pass phrases at the most basic level, I have a preference for using the 95 printable characters abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':"[]\{}|`1234567890-=~!@#$%^&*()_+ and using a password generator to generate them. Examples from a self-generated one-time pad containing 100k pass phrases:

81690: ga}XmRPeGsZ+\V?GPzFDSNK`:/Mm:r:?vCq%o7YDK$XpRDmG~sm,t)QOZo$~*oF+$:wc3VsWht'?:4D0=(1odH\`NjU]jV
81691: BMLPnq<e/89_TQ|{J05'A#I:g"2;n/4Q(%K;W0+>mw#dj?yD{PlS/\k?fZuxrs>)kzyV\[x<A!W?;(>s21d>o=;`A2$a!N
81692: !]+x8S;c2%r8-f0Y.^xCEyP'rAIdB4(F0VM@F)%_`uBgsZhj[-?|-J@EE*_x,l96BIiX(C3G2Hkk:Q3t`Ub09\hq(s,]?D
81693: p4O^3fY%g1WH\"U;_WH1%y["Pb,Y@r1e4E!(|XX\~`^*R#o#{7lK~lro.2;B.P/x[hF:hj.PJvfO`I0l_<0ru(QkeNUf'd
81694: diLaUIKM.o)Kf|J'pJC|Omwq>)791uo]~B~\[sZEUj&cZj_-]uKjm/NQe5?3&u+ZGIEsUl?@K~*#*!7pn=/@Rd*{>$ca_B
81695: ,-Y=/]bpo+iAf{8='+~U#y>|]sPDT\&sM%AdrB7g&JO|#D()xEJJ_(/a&EqcMc;.b#">]gsIRl<}BibX\;.)'&;dB![cZn
81696: 3Y(qyJ-x9+|7&sB[f.($qW<HWAC9`%0[i;zcW3*4="K^\JdVau%w!^S`D2bO!d#B|I>be&Z'!>I}"QXP6T`^~TG&Aqd1K7
81697: WW<$C/>quMu%GKIC,J<J>0d]eCuY4fnXi51qMra}IbrUd~_/adJ|94el?eu[-/0@KJ%1ZwS^"!=0M:<W;:">PMkFf"8SHD
81698: ]wWq^I"m1XRF\P)P\FU[uwvAEp;nT4jVAFea/%KBP/aee69|J3m[AeR5^8t!JsNaM^9B}>e(4.;]G@B7^,ow^:U<]TOC}q
81699: /B@"d;N'4^o$AY!rV?aQ<aYyO6yKZ"$lqf9|MB0iuzEb_ywC`-sdwkKME$._nevhTVT{$bF;Ee*C)Al[~p2gc'FdrDHUtn

Much more secure than easy-to-remember text strings. Needless to say, other than that these keys just expired , key management is a whole other topic.