On Mon, Nov 27, 2000 at 09:09:39AM +0100, Marc Mutz wrote: > John Kennedy wrote: > <snip> > > I'm sort of looking for an experience-based answer off of the top of > > your (or anyone's) head, but we're mixing generalities with math and > > crypto (not a good combo). I'm wanting to know how much encrypted- > > knowntext you would need to really compromise the serpent password, > > which would let you turn around and compromise the rest of the disk. > > For what is publicly nown, serpent is secure, no matter what. There are > academic attacks against reduced-round versions, but the cipher as > defined in the AES paper is secure. Yet that is no guarantee. Tomorrow > may see a complete break of serpent, but that is unlikely, of course. > Serpent is a 128 bit blockcipher, meaning, you can encrypt many, _many_ > Gigabytes with it before you get equal ciphertext blocks, which would > give an attacker some hints. So no problems from that front, too. The > most probable point of attack is your passphrase. I'd almost bet that it > does not contain 128 bits of entropy. and if it is just an English > sentence, it would only contain 1.3 bits/char of entropy. As I understand them so far, those are the words I wanted to hear. I was actually assuming that my passphrase was what was going to be attacked (I expected that it would be the easier of the two). As far as passphrase entropy, I'm a bit ignorant at the moment. I initially coded to be compatible with losetup, presuming that it would be coded in a secure fashion. Without a lot more reading, I can't say if that is true or not though. I'm under the impression that the 1.3 bits/char problem is pretty common and that one of the first things you do is run it through a one-way hash, generating something that looks far more like random bits. I see the two calls to rmd160_hash_buffer(), but I haven't confirmed that what they're actually doing is something like what I've been told. > If you want to know about the feasibilty of a known-plaintext attack: No > such attack is known that is faster than brute force. Yet brute-forcing > your passphrase may be well feasible. > > Does that answer your question? Enough to spend my time productively on the passphrase, yes. (: Either the current losetup code will be secure or not and, if not, I'll just add another layer with a passphrase protecting an encrypted passphrase to the real data on the disk. (Yes, you could still try to brute-force the first passphrase, but it and the encrypted 2nd passphrase can easily be kept apart from the hard-drive encrypted with the 2nd passphrase. If rmd160_hash_buffer() doesn't introduce enough entropy, that ought to help a lot.) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
