Please share (the spreadsheet) with the rest of the class.
Allen wrote:
Ettore wrote:
Question 1
------------------
What I'd like to know is, how insecure is our proposed scheme?
The entropy of your key will match the one of your password.
If the user chose a sequence of 7 letters, the effective key
length you would get is ~32 bits, which is not difficult to
brute force.
To make matters worse, the user will probably choose some
meaningful word, which drastically reduces the key space and
render a dictionary attack feasible.
If you think that theoretical key security is really a concern
AND if you think that trojans are not, I advice to force
the user to enter a long passphrase (rather than password).
37 characters are enough to reach a single DES level - probably
enough for your application.
Hi Ettore,
While I agree that pass phrases are a better choice, they don't
have to be as long a 37 characters to be very secure. I have a
spread sheet based on Philippe Oechlin's optimized Rainbow Table
calculation which, with a 1 terabyte table space, says that with
a 62 character key space, at 1*10^12 hashes per second it would
2.4*10^7 years to create the table and 1.4*10^10 years to use the
table to find the hash for a 15 character pass phrase.
In fact even as few as 12 characters has
3,279,156,381,453,600,000,000 possible pass phrases and would
take 104 years to calculate the table and 81 years to have an 86%
chance of finding the correct pass phrase.
The work effort climbs rapidly after 12 characters. However, I
still suggest 15 characters as that prevents a LANMAN legacy attack.
If you like I would be more than happy to send you a copy of the
spreadsheet so you can play around with it.
Best Regards,
Allen Schaaf - CISSP, CEH, CHFI, CEI
Business Process Analyst - Information Security Analyst
Training & Instructional Designer - Sr. Writer & Documentation
Developer - Certified Network Security Analyst & Intrusion
Forensics Investigator - Certified EC-Council Instructor
Security is lot like democracy - everyone's for it but
few understand that you have to work at it constantly.
_______________________________________________
FDE mailing list
FDE@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde
_______________________________________________
FDE mailing list
FDE@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde
