[4172] in cryptography@c2.net mail archive
Re: Strengthening the Passphrase Model (was Re: PGP
daemon@ATHENA.MIT.EDU (Rodney Thayer)
Tue Feb 9 11:25:28 1999
Date: Tue, 09 Feb 1999 07:56:26 -0800
To: "Arnold G. Reinhold" <reinhold@world.std.com>,
nelson@media.mit.edu (Nelson Minar), cryptography@c2.net
From: Rodney Thayer <rodney@tillerman.nu>
In-Reply-To: <v03130302b2e5f5da6f4e@[24.128.119.92]>
At 09:46 AM 2/9/99 -0500, Arnold G. Reinhold wrote:
>Nelson Minar's comments (reproduced below) are right on target. Here are
[...] practical suggestions [...]
>2. PGP should burn computer time hashing the passphrase. While you cannot
>increase the entropy of a passphrase with an algorithm, you can make
>exhaustive search far more difficult.
There was an interesting paper presented last week at NDSS '99
(http://www.isoc.org/ndss99) by Ari Juels and John Brainard, called "Client
Puzzles", which relates. The notion is to cause the user to burn a bit of
compute time solving a puzzle, in the interest of preventing certain kinds
of attacks.
