[4171] in cryptography@c2.net mail archive
Strengthening the Passphrase Model (was Re: PGP compromised on
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Tue Feb 9 10:01:15 1999
In-Reply-To: <14015.24206.748927.873657@pinotnoir.media.mit.edu>
Date: Tue, 9 Feb 1999 09:46:40 -0500
To: nelson@media.mit.edu (Nelson Minar), cryptography@c2.net
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Nelson Minar's comments (reproduced below) are right on target. Here are 4
practical suggestions to increase the effectiveness of the passphrase
model in PGP. They also apply to other security programs that use
passphrases.
1. PGP should suggest a passpharse to the user when a new key pair is
generated. PGP already has a trusted source of randomness. Why not offer a
passphrase? There could be a choice of formats --Diceware words, random
syllables, random letters -- and strengths (5 Diceware words provide 64 bit
of entropy, 6 words 77 bits, 7 words 90 bits). The user could, of course,
choose to enter his own passphrase.
2. PGP should burn computer time hashing the passphrase. While you cannot
increase the entropy of a passphrase with an algorithm, you can make
exhaustive search far more difficult.
One of my pet ideas is a "computational intensive" hash algorithm.
Cryptography usually strives for algorithms that are fast and have a small
footprint. I propose a hash algorithm tuned to use as much of the resources
of a typical PC as possible, consistant with an acceptible user delay. This
means lots of memory, 32 bit multplies, maybe even floating point (I say
maybe because of the Intel FP fiasco). The algorithm should be
parameterized in memory use and in running time such that each level jump
increases by (say) 50%. This would allow tha user to select a delay that
was acceptable on her machine and allow the algorithm to keep up with the
growth in PC power.
I have some ideas for such an alogrithm that I would be glad to share. I
think we need a forum to develop and agree on such an algorithm.
3. PGP should be available on a bootable CD-ROM for the major platforms.
(This is easy to do on a Mac, I do not know how hard it is on Wondows or
Linux.) Running off a CD while performing encryption would make a
virus/trojan attack difficult if not impossible. A separate utility could
be distributed to do an SHA-1 hash of the CD.
4. We should reconsider the time honored advice to never write down one's
passphrase. I believe most users are more fearful of forgetting their
passphrase than of having it compromised. This is a major reason why they
choose weak passphrases.
One compromise is to suggest that users come up with the best phrase they
are comfortable with committing to memory and then add more words chosen at
random, with the extra words written down and kept in a safe place. This
approach would also be useful for users who need multiple passphrases. The
written random ones would differ and the memorized secret would remain the
same.
I think steps along these lines can do much to make security a reality for
the average user.
Arnold Reinhold
============
At 5:00 PM -0500 2/8/99, Nelson Minar wrote:
>Forgive me for saying this, but I'm a bit dismayed at the arrogance of
>people talking about "idiots" and "stupid" and "fools". People using
>cryptography on computers are generally not stupid. If they are having
>a hard time with passphrases, I humbly suggest it is because we as
>cryptographers and security system designers have failed them.
>
>Personally, I think the whole model of passphrases is a mess. They're
>clumsy to use, awkward to remember, and insecure in practice. (It's
>only an accident that the recent PGP-key-stealing Word Macro virus
>didn't watch for the user's passphrase and steal that as well as the
>encrypted secret key.)
>
>One contribution that systems security people can make is to think of
>models other than passphrases for protecting secrets. I'm particularly
>fond of relying on a small amount of secure hardware, but of course
>that's not a panacea either. There are lots of other approaches.
>
>Another contribution we can make is to think of ways to make people's
>use of passphrases more secure. We've been fighting this battle (and
>losing) in Unix passwords for at least ten years, but it's still a
>good fight. It's not enough to just say "users are stupid". Maybe
>"users need education, and they need tools to help them make the right
>choices" is more productive?
>
> nelson@media.mit.edu
>. . . . . . . . http://www.media.mit.edu/~nelson/
