[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Announce loop-AES-v1.3b file crypto package

To: linux-crypto@nl.linux.org
Subject: Re: Announce loop-AES-v1.3b file crypto package
From: Sandy Harris <sandy@storm.ca>
Date: Sun, 08 Jul 2001 00:36:17 -0400
References: <NBBBJHKIOKPKOGOEPEDPEEDFDLAA.stuart@bh90210.net>
Sender: owner-linux-crypto@nl.linux.org

"IT3 Stuart B. Tener, USNR-R" wrote:
> 
> Mr. Touloumtzis, et al.:
> 
>         Some ideas to increase entropy:
> 
> 1) Randomizing the location of the number within each word add more entropy?
> I noticed you consistently placed the number at the beginning of every word

An extra 2 to 3 bits per word, but harder to remember.

> 2) Randomizing the capitalization change anything?

One bit per letter, harder to remember.

> 3) Random non-alphanumeric characters in random positions of each of the
> words help?

Quite a lot -- if it's one of 16 characters in one of four positions, that's
6 extra bits per word -- but likely very hard to remember.
 
> Very Respectfully,
> 
> Stuart Blake Tener, IT3, USNR-R, N3GWG
> VTU 1904G (Volunteer Training Unit)
> stuart@bh90210.net
> west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043
> east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859
> 
> Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's
> free!)
> 
> JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL.
> 
> Saturday, July 07, 2001 7:58 PM
> 
> -----Original Message-----
> From: owner-linux-crypto@nl.linux.org
> [mailto:owner-linux-crypto@nl.linux.org]On Behalf Of Mike Touloumtzis
> Sent: Saturday, July 07, 2001 6:55 PM
> To: linux-crypto@nl.linux.org
> Subject: Re: Announce loop-AES-v1.3b file crypto package
> 
> On Sun, Jul 08, 2001 at 10:31:51AM +1000, Stephen Robert Norris wrote:
> >
> > It's not a good passphrase. A random 10 character one might well be
> better!
> >
> > I think my general complaint is that people's intuition about what makes
> > a good passphrase is bad :)
> 
> Here's an algorithm for choosing a strong pass phrase,
> in case people are curious for one that's demonstrably
> pretty strong[1].  Comments and corrections welcome.
> 
> 1) Copy all words between 5 and 10 characters long
>    from the /usr/share/dict/american-english file in a
>    Debian system.  This procedure gives me 35,479 words,
>    or about 15 bits of entropy per word provided they are
>    chosen truly randomly.
> 
>    You might have to localize this procedure to your own
>    system.  Just remember entropy == base 2 logarithm of
>    number of choices iff they are truly unpredictable.
> 
> 2) Select 5 words at random from the list.  Use /dev/random
>    or another known good source of entropy.
> 
> 3) Before each of the words, place a digit from one to
>    eight.  Again, these should be chosen at random.
> 
> 4) Add a space between words (this doesn't contribute
>    entropy but helps readability if you want to write
>    the passphrase down in your completely offline,
>    double-secret hidey-hole, and seems to make the phrase
>    easier for humans to remember--based on informal,
>    empirical testing I have conducted).
> 
>    You'll now have a passphrase something like this:
> 
>    "5tornado 5archiver 1nightcap 8Haifa 7ballad"
> 
>    Such a passphrase has roughly 90 bits of entropy given
>    a known choice of construction algorithm, since each
>    random word choice contributes 15 bits and each random
>    digit (one of eight) contributes 3 bits.
> 
>    The rationale for the numbers is to keep natural
>    language word frequency from coming into play very much,
>    as it might if someone were testing spaced-out English
>    words without knowing your selection algorithm.
> 
>    => Ninety bits puts you well into "they'll break in
>    and bug your keyboard first" territory provided your
>    algorithms and other security factors are good.
> 
> 5) Don't tell anyone you're using this algorithm.
>    This will add more bits of entropy to your passphrase
>    as a whole, since this passphrase space will become
>    one of many that must be searched.
> 
> [1] Actually I'm grubbing for few more bits of entropy by
> not revealing my _actual_ passphrase selection algorithm;
> this is a variant :-).
> 
> miket
> 
> Linux-crypto:  cryptography in and on the Linux system
> Archive:       http://mail.nl.linux.org/linux-crypto/
> 
> Linux-crypto:  cryptography in and on the Linux system
> Archive:       http://mail.nl.linux.org/linux-crypto/

Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- RE: Announce loop-AES-v1.3b file crypto package
  - From: "IT3 Stuart B. Tener, USNR-R" <stuart@bh90210.net>

References:
- RE: Announce loop-AES-v1.3b file crypto package
  - From: "IT3 Stuart B. Tener, USNR-R" <stuart@bh90210.net>

Prev by Date: RE: Announce loop-AES-v1.3b file crypto package
Next by Date: RE: Announce loop-AES-v1.3b file crypto package
Prev by thread: RE: Announce loop-AES-v1.3b file crypto package
Next by thread: RE: Announce loop-AES-v1.3b file crypto package
Index(es):
- Date
- Thread