All, I just wanted to say thanks for all the useful comments.
I think I've been convinced that our approach is not a good idea! John 2008/9/17 Allen <[EMAIL PROTECTED]> > Justin, > > I don't think the list allows attachments, but I'll try. I'll also send > directly to you. > > Allen > > Justin Coffi wrote: > >> Please share (the spreadsheet) with the rest of the class. >> >> Allen wrote: >> >>> Ettore wrote: >>> >>> >>>> Question 1 >>>>> ------------------ >>>>> >>>>> What I'd like to know is, how insecure is our proposed scheme? >>>>> >>>>> >>>> The entropy of your key will match the one of your password. >>>> If the user chose a sequence of 7 letters, the effective key >>>> length you would get is ~32 bits, which is not difficult to >>>> brute force. >>>> >>>> To make matters worse, the user will probably choose some >>>> meaningful word, which drastically reduces the key space and >>>> render a dictionary attack feasible. >>>> >>>> If you think that theoretical key security is really a concern >>>> AND if you think that trojans are not, I advice to force >>>> the user to enter a long passphrase (rather than password). >>>> 37 characters are enough to reach a single DES level - probably >>>> enough for your application. >>>> >>>> >>> Hi Ettore, >>> >>> While I agree that pass phrases are a better choice, they don't have to >>> be as long a 37 characters to be very secure. I have a spread sheet based on >>> Philippe Oechlin's optimized Rainbow Table calculation which, with a 1 >>> terabyte table space, says that with a 62 character key space, at 1*10^12 >>> hashes per second it would 2.4*10^7 years to create the table and 1.4*10^10 >>> years to use the table to find the hash for a 15 character pass phrase. >>> >>> In fact even as few as 12 characters has 3,279,156,381,453,600,000,000 >>> possible pass phrases and would take 104 years to calculate the table and 81 >>> years to have an 86% chance of finding the correct pass phrase. >>> >>> The work effort climbs rapidly after 12 characters. However, I still >>> suggest 15 characters as that prevents a LANMAN legacy attack. >>> >>> If you like I would be more than happy to send you a copy of the >>> spreadsheet so you can play around with it. >>> >>> Best Regards, >>> >>> Allen Schaaf - CISSP, CEH, CHFI, CEI >>> Business Process Analyst - Information Security Analyst >>> Training & Instructional Designer - Sr. Writer & Documentation Developer >>> - Certified Network Security Analyst & Intrusion Forensics Investigator - >>> Certified EC-Council Instructor >>> >>> Security is lot like democracy - everyone's for it but >>> few understand that you have to work at it constantly. >>> _______________________________________________ >>> FDE mailing list >>> FDE@www.xml-dev.com <mailto:FDE@www.xml-dev.com> >>> http://www.xml-dev.com/mailman/listinfo/fde >>> >>> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> FDE mailing list >> FDE@www.xml-dev.com >> http://www.xml-dev.com/mailman/listinfo/fde >> > > _______________________________________________ > FDE mailing list > FDE@www.xml-dev.com > http://www.xml-dev.com/mailman/listinfo/fde > >
_______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde
