At 7:20 PM +0000 12/4/2000, lcs Mixmaster Remailer wrote:
>William Allen Simpson <[EMAIL PROTECTED]> writes:
>> My requirements were (off the top of my head, there were more):
>>
>> 4) an agreed algorithm for generating private keys directly from
>> the passphrase, rather than keeping a private key database.
>> Moving folks from laptop to desktop has been pretty hard, and
>> public terminals are useless. AFS/Kerberos did this with a
>> "well-known" string-to-key algorithm, and it's hard to convince
>> folks to use a new system that's actually harder to use. We need
>> to design for ease of use!
>
>This is a major security weakness. The strength of the key relies
>entirely on the strength of the memorized password. Experience has
>shown that keys will not be strong if this mechanism is used.
I agree that the average, untutored user is likely to select a
passphrase too weak to achieve adequate security. On the other hand,
storing high-quality keys on a typical server or Internet-connected
PC presents security risks that are comparable in magnitude.
I believe there are applications where a passphrase generated key is
preferable. These include situations were keys must be retained for a
very long time (we know paper lasts) and where people such as
reporters or NGO workers have to travel to parts of world where any
physical keying material in their possession could get them in
trouble.
>
>There must be something more. At a minimum it can be a piece of paper
>with the written-down, long passphrase. Or it can be a smart card
>with your key on it. Conceivably it could also be a secure server that
>you trust and access with a short passphrase, where the server can log
>incorrect passphrase guesses. But if you can attack a public key purely
>by guessing the memorized passphrase which generated the secret part,
>the system will not be secure.
Writing down the passphrase is reasonable in many, but not all
situations. Hardware tokens can be damaged or lost. That risk may be
unacceptable in some applications. And is there is really such a
thing as a trustworthy, secure server? Will Santa bring me one?
I think a standard such as Mr. Simpson suggests is a worthwhile idea.
No one is forced to use a standard just because it exists. One size
does not fit all. However I would propose including an option for key
stretching in any such standard. Key stretchers can bridge the gap
between what people are willing to memorize and reasonable levels of
security. I have some ideas for methods that would be more effective
than mere repeated hashing that I would be glad to contribute.
Arnold Reinhold
