On 10/26/07, Alex Pankratov <[EMAIL PROTECTED]> wrote: > Or, rephrasing, what should the entropy of the password be > compared to the entropy of the value being protected (under > whatever keying/encryption scheme) ?
The entropy of the data is irrelevant. The question is its value; that affects both the resources an attacker might use to get it and the cost to you if it is lost. If there is no attack on the crypto algorithm better than brute force (a huge "if"!, but there are available algorithms for which we can at least say no such attack has been published) and you can estimate attacker's resources, then you can estimate key size required for safety. Te EFF's DES cracker (many custom-built chips in parallel) broke 56-bit DES in a few days. Assume our brute force enemy can search a 64-bit space (256 times larger) in a second (a few million times faster). Then searching a 96-bit space takes him 2**32 seconds, well over a century. For a 128-bit space, multiply that by another 2**32, so something over 400 billion years. You really don't care about minor variation here, e.g.if our estimates are off by a million and he can do it in 400 million years instead. So, if your crypto is sound,128 bits should theorectically be enough for any data and any human time scale. Practice and theory can differ, though, and you cannot be utterly certain there's not some unpublished attack that does awful things to the crypto. I'd use 256 bits and a well-analyzed algorithm. -- Sandy Harris, Nanjing, China --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
