[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Announce loop-AES-v1.3b file crypto package

To: "Michael H. Warfield" <mhw@wittsend.com>
Subject: Re: Announce loop-AES-v1.3b file crypto package
From: "peter k." <spam-goes-to-dev-null@gmx.net>
Date: Sat, 7 Jul 2001 21:41:41 +0200
Cc: "Jari Ruusu" <jari.ruusu@pp.inet.fi>, <linux-crypto@nl.linux.org>
References: <3B39D328.810C4CB3@pp.inet.fi> <001701c10651$97453f60$0100005a@host1> <20010706212312.A3357@alcove.wittsend.com> <001901c10685$f287fd20$0100005a@host1> <20010706220332.C3357@alcove.wittsend.com> <20010707174328.C1225@chinstrap.nsw.bigpond.net.au> <20010707044856.B7726@alcove.wittsend.com> <20010707210156.D1225@chinstrap.nsw.bigpond.net.au> <20010707145746.C7726@alcove.wittsend.com>
Sender: owner-linux-crypto@nl.linux.org

> Actually, I think that what was being argued was that 10 was
> insufficient.  The original poster was not asking if 20 was sufficient,
> he was asking if 10 wasn't sufficient.  IMHO...  10 is not sufficient.
> The discussion is not over 20, it's over 10.
>
> Whether 20 is sufficient or not, depends on your use, but it's
> better than 10.  Arguing that 10 characters is insufficient is NOT arguing
> that 20 is sufficient.  20 might be, with decent complexity checkers and
> it might not be if it were a clear plaintext passphrase.  It might be
> total overkill if you are diciplined and have a good enough memory for
> high entropy shorter passwords.  Certainly 60 bits (10 characters * 6
bits)
> is not safe from brute force attacks unless it is protected by other
> mechanisms.
>
> Ppdd wants TWO 24 character passphrases (48 characters or more
> total).  Is that sufficient?  Probably, in most cases.  :-)  Is it better
> than 20?  Yeah, I think so, maybe...  Does it have any bearing what so
> ever on whether or not 10 characters is insufficient?  No.
>
> The argument was over the sufficiency of 10 characters.
> Long term, non-volitile, crypto protected by only 60 bits worth of
> "key" is subject to being brute force attacked given sufficient
> time, equipment, and incentive on the part of the attacker.  You
> really REALLY want to protect it?  You don't use 60 bits.
>

well, how much time and what equipment would you need for bruteforcing a 10
byte pw? 3 years of ASCI White? ;) [note that im not talkin about
distributed computing which is able to decrypt stuff protected by 10 bytes
of course] ... and what about 20 bytes then?
10 bytes of a-z and 0-9 thats 36^10=3,656,158,440,062,976 possible
passwords...

hmm, i'll use 20 bytes and AES128 anyway, but again: is that the minimal
length or is it really enough? what about 15 bytes?




Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

References:
- Re: Announce loop-AES-v1.3b file crypto package
  - From: "peter k." <spam-goes-to-dev-null@gmx.net>
- Re: Announce loop-AES-v1.3b file crypto package
  - From: "Michael H. Warfield" <mhw@wittsend.com>
- Re: Announce loop-AES-v1.3b file crypto package
  - From: "peter k." <spam-goes-to-dev-null@gmx.net>
- Re: Announce loop-AES-v1.3b file crypto package
  - From: "Michael H. Warfield" <mhw@wittsend.com>
- Re: Announce loop-AES-v1.3b file crypto package
  - From: Stephen Robert Norris <srn@fn.com.au>
- Re: Announce loop-AES-v1.3b file crypto package
  - From: "Michael H. Warfield" <mhw@wittsend.com>
- Re: Announce loop-AES-v1.3b file crypto package
  - From: Stephen Robert Norris <srn@fn.com.au>
- Re: Announce loop-AES-v1.3b file crypto package
  - From: "Michael H. Warfield" <mhw@wittsend.com>

Prev by Date: Re: Announce loop-AES-v1.3b file crypto package
Next by Date: Re: Announce loop-AES-v1.3b file crypto package
Prev by thread: Re: Announce loop-AES-v1.3b file crypto package
Next by thread: Re: Announce loop-AES-v1.3b file crypto package
Index(es):
- Date
- Thread