[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Announce loop-AES-v1.3b file crypto package

Mr. Touloumtzis, et al.:

	Some ideas to increase entropy:

1) Randomizing the location of the number within each word add more entropy?
I noticed you consistently placed the number at the beginning of every word
2) Randomizing the capitalization change anything?
3) Random non-alphanumeric characters in random positions of each of the
words help?


Very Respectfully,

Stuart Blake Tener, IT3, USNR-R, N3GWG
VTU 1904G (Volunteer Training Unit)
stuart@bh90210.net
west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043
east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859

Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's
free!)

JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL.

Saturday, July 07, 2001 7:58 PM

-----Original Message-----
From: owner-linux-crypto@nl.linux.org
[mailto:owner-linux-crypto@nl.linux.org]On Behalf Of Mike Touloumtzis
Sent: Saturday, July 07, 2001 6:55 PM
To: linux-crypto@nl.linux.org
Subject: Re: Announce loop-AES-v1.3b file crypto package

On Sun, Jul 08, 2001 at 10:31:51AM +1000, Stephen Robert Norris wrote:
>
> It's not a good passphrase. A random 10 character one might well be
better!
>
> I think my general complaint is that people's intuition about what makes
> a good passphrase is bad :)

Here's an algorithm for choosing a strong pass phrase,
in case people are curious for one that's demonstrably
pretty strong[1].  Comments and corrections welcome.

1) Copy all words between 5 and 10 characters long
   from the /usr/share/dict/american-english file in a
   Debian system.  This procedure gives me 35,479 words,
   or about 15 bits of entropy per word provided they are
   chosen truly randomly.

   You might have to localize this procedure to your own
   system.  Just remember entropy == base 2 logarithm of
   number of choices iff they are truly unpredictable.

2) Select 5 words at random from the list.  Use /dev/random
   or another known good source of entropy.

3) Before each of the words, place a digit from one to
   eight.  Again, these should be chosen at random.

4) Add a space between words (this doesn't contribute
   entropy but helps readability if you want to write
   the passphrase down in your completely offline,
   double-secret hidey-hole, and seems to make the phrase
   easier for humans to remember--based on informal,
   empirical testing I have conducted).

   You'll now have a passphrase something like this:

   "5tornado 5archiver 1nightcap 8Haifa 7ballad"

   Such a passphrase has roughly 90 bits of entropy given
   a known choice of construction algorithm, since each
   random word choice contributes 15 bits and each random
   digit (one of eight) contributes 3 bits.

   The rationale for the numbers is to keep natural
   language word frequency from coming into play very much,
   as it might if someone were testing spaced-out English
   words without knowing your selection algorithm.

   => Ninety bits puts you well into "they'll break in
   and bug your keyboard first" territory provided your
   algorithms and other security factors are good.

5) Don't tell anyone you're using this algorithm.
   This will add more bits of entropy to your passphrase
   as a whole, since this passphrase space will become
   one of many that must be searched.

[1] Actually I'm grubbing for few more bits of entropy by
not revealing my _actual_ passphrase selection algorithm;
this is a variant :-).

miket

Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/


Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/