----- Original Message -----
From: "lcs Mixmaster Remailer" <[EMAIL PROTECTED]>
Sent: Tuesday, December 05, 2000 3:20 AM
> William Allen Simpson <[EMAIL PROTECTED]> writes:
> > My requirements were (off the top of my head, there were more):
> >
> > 4) an agreed algorithm for generating private keys directly from
> > the passphrase, rather than keeping a private key database.
> > Moving folks from laptop to desktop has been pretty hard, and
> > public terminals are useless. AFS/Kerberos did this with a
> > "well-known" string-to-key algorithm, and it's hard to convince
> > folks to use a new system that's actually harder to use. We need
> > to design for ease of use!
>
> This is a major security weakness. The strength of the key relies
> entirely on the strength of the memorized password. Experience has
> shown that keys will not be strong if this mechanism is used.
>
> There must be something more. At a minimum it can be a piece of paper
> with the written-down, long passphrase. Or it can be a smart card
> with your key on it. Conceivably it could also be a secure server that
> you trust and access with a short passphrase, where the server can log
> incorrect passphrase guesses. But if you can attack a public key purely
> by guessing the memorized passphrase which generated the secret part,
> the system will not be secure.
I'm not sure about this, unless you assume that the best attacks are based
on dictionary search (which, for PK algorithms, can be pretty
time-consuming). Let's suppose that the entropy of the passphrase only
amounts to 100 bits: my gut feeling is that breaking a discrete log problem
based on a 512-bit secure hash of that passphrase it much harder than
breaking a 100-bit discrete log problem, and is probably close to a "true"
512-bit problem.
Enzo
