Alex Pankratov wrote:
Or, rephrasing, what should the entropy of the password be compared to the entropy of the value being protected (under whatever keying/encryption scheme) ?
Eliminating all other variables, such as the hash algorithm used to derive a key from the password (see previous thread) and the computational load of the decryption effort per trial, one might think that the entropy of the password alone would determine the attack effort needed to decrypt the value being protected (the payload). However, the real question to ask is not the password's (Shannon) entropy but the workload necessary to find the password. To give a few examples: - if the value being protected can be efficiently tested (eg, by using it as a key to decrypt a short English text), then the workload necessary to find the password will be reduced even if the password entropy is high. - the workload necessary to find the password may be actually trivial if the password is generated with a non-flat distribution (even though the entropy of the distribution may be quite high, such as 128 bit). - if salt is not used, or used poorly, a dictionary attack can be quite effective to reduce the workload. What matters here is the expected cost of password search, not the password or payload Shannon entropy. For some pointers on this discussion, and why high Shannon entropy does not mean high workload, see http://www.cs.berkeley.edu/~daw/my-posts/entropy-measures Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
