[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Choosing the passphrase, encrypted swap, naming the kernel

To: linux-crypto@xxxxxxxxxxxx
Subject: Re: Choosing the passphrase, encrypted swap, naming the kernel
From: Venkat Manakkal <venkat@xxxxxxxxxxxxxx>
Date: Fri, 30 Jul 2004 13:47:28 -0400
In-reply-to: <4109C3EC.2050605@gmx.net>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <410733D5.2080000@gmx.net> <200407291044.01246.venkat@rayservers.com> <4109C3EC.2050605@gmx.net>
Sender: linux-crypto-bounce@xxxxxxxxxxxx
User-agent: KMail/1.6.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 29 July 2004 23:43, Christian wrote:
> Venkat Manakkal wrote:
> > See diceware.com about choosing really strong passwords. Long phrases or
> > sentences do not really cut it. A ten word diceware phrase puts you in
> > the 128+ bits of entropy range, throw in some extra special characters
> > for good measure and you will be in the 30 char password length range.
>
> But it doesn't make sense to use AES256 if your password has only 128
> bits of entropy, right?

The password is usually the last line of defense, at the point where the 
attacker has both the GPG keys and the encrypted randomly generated multi-key 
passphrase. At that point, the human who has the passphrase in his or her 
head is the weakest link since the attacker will have the person too, most 
likely, on some island... Analysing the threat scenarios usually eliminates 
the requirement of much more than AES128. It is usually far easier to get the 
password than to brute force a modern cipher, as far as I know.

If the attacker does not have access to the USB keychain with the PGP keys and 
the encrypted keyfile, then you get the full benefit of AES256 (whatever that 
means to you).

Cheers!

- ---Venkat.

- ----------------------------------------------------------------------------
Venkat Manakkal                       
venkat_AT_rayservers.com GPG: https://www.rayservers.com/keys/0x12430522.asc
GPG: 0x12430522/4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
+1-607-546-7300 http://www.rayservers.com/ Computers. Installed Secure.
- ----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBComxWdkW/RJDBSIRAtfSAKC5dhBo0udtrbkxSPrerQGi9TMJlQCeKBto
0Z0poUa2PmUzeHASdA1oUww=
=1Xb9
-----END PGP SIGNATURE-----

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

References:
- Encrypted swap, suspend, README, root encryption, potential weaknesses, NSA, dual-ciphers
  - From: Christian
- Re: Encrypted swap, suspend, README, root encryption, potential weaknesses, NSA, dual-ciphers
  - From: Venkat Manakkal
- Choosing the passphrase, encrypted swap, naming the kernel
  - From: Christian

Prev by Date: Re: Choosing the passphrase, encrypted swap, naming the kernel
Next by Date: Re: Installed Secure [was Re: Trying to set up root encryption with loop-AES on SuSE 9.1]
Previous by thread: Re: Plausible deniability
Next by thread: Re: Encrypted swap, suspend, README, root encryption, potential weaknesses, NSA, dual-ciphers
Index(es):
- Date
- Thread