On Tue, 5 Dec 2000, Enzo Michelangeli wrote:
> I'm not sure about this, unless you assume that the best attacks are based
> on dictionary search (which, for PK algorithms, can be pretty
> time-consuming). Let's suppose that the entropy of the passphrase only
> amounts to 100 bits: my gut feeling is that breaking a discrete log problem
> based on a 512-bit secure hash of that passphrase it much harder than
> breaking a 100-bit discrete log problem, and is probably close to a "true"
> 512-bit problem.
I have seen crypto programs in use that had far less entropy in their
passphrase. (The one I am thinking of used 128 bit algorythms, but had
somewhere around 20 bits of real entropy!)
The reason for the total lack of real entropy was that the system was
designed to be "easy to use".
The program was (and may still be) distributed by a major corporation for
storing customer info (including CC #s) for transmital to web pages. The
review of the system during the audit was less than nice, but they still
wanted to go ahead with it. It looked nice and it was at the level that
marketing people could use it. (I would mention names, but I think I am
still under NDA about that part.)
[EMAIL PROTECTED] | Note to AOL users: for a quick shortcut to reply
Alan Olsen | to my mail, just hit the ctrl, alt and del keys.
"In the future, everything will have its 15 minutes of blame."
