[4345] in cryptography@c2.net mail archive
Re: Strengthening the Passphrase Model
daemon@ATHENA.MIT.EDU (David Jablon)
Thu Mar 18 13:07:01 1999
Date: Thu, 18 Mar 1999 12:30:12 -0500
To: iang@cs.berkeley.edu (Ian Goldberg)
From: David Jablon <dpj@world.std.com>
Cc: cryptography@c2.net
In-Reply-To: <7cpjdt$hlc$1@abraham.cs.berkeley.edu>
At 01:03 AM 3/18/99 GMT, Ian Goldberg wrote:
> In article <v03130300b2e74ce2cecc@[24.128.119.92]>,
> Arnold G. Reinhold <reinhold@world.std.com> wrote:
>>>> 2. PGP should burn computer time hashing the passphrase. While you cannot
>>>> increase the entropy of a passphrase with an algorithm, ...
But, you can increase the entropy of a passphrase-derived
session key with a key amplifier. In a better situation,
this might help.
>> At 7:47 AM +0000 2/10/99, Antonomasia wrote:
>>>> From memory, Rivest and Wagner have a paper on crypto time locks [...]
Arnold:
>> ... I don't see how it applies here. Finding a passphrase by
>> exhaustive search is an inherently parallel problem.
Ian:
> Indeed; the more appropriate paper to read is "Secure Applications of
> Low-Entropy Keys." John Kelsey, Bruce Schneier, and David Wagner. 1997
> Information Security Workshop. ...
Stretching partially deters attack on stored data.
What you really want is to move your sensitive
password-derived data to a safer place.
And if you can't find that one perfect spot,
how about splitting the password-encrypted key,
keeping part on some hopefully-secure and available server,
and part locally? Then no one compromise permits
exhaustive search.
-- dpj
