On Wed, Nov 29, 2000 at 10:21:04PM +0000, Marc Mutz wrote:
>>[me]
>> Is the cipher-encrypted data any more secure with less entropy than
>> with more entropy?
>
> You mean the other way round, no? It's more secure iff the key contains
> more entropy, ie. there are simply more possibilities.
>
>> I think the bit that I have to bend my brain around
>> is that the answer is *NO*. Less entropy just means that the attacker
>> has to try fewer hashes, and in the end fewer cipher keys.
>
> Yes. If you take your question as you asked it, and not as I answered it.
No, I meant it as asked, but it might be a bit more ambiguous than
I intended. As far as the cipher key is concerned, if I have a 128-bit
key and you don't know how I generated the bits, it might as well be
very secure. You don't know how much entropy "input range" I have,
so you end up assuming the worst.
If I tell you I've used some known-good ripe-md hash function with a
100-character passphrase, it is even more secure. It is a known algorithm
with more than adequate entropy and you're probably really discouraged,
without much hope that I've done something stupid generating it.
On the other hand, if I told you that the password the hash was
generated from only had four digits in it, suddenly the key is very
insecure and trivial to break.
Either way, I think, the (serpent) CIPHER doesn't care. Entropy is
of concern for the KEY, not the cipher. The 1-in-2^128 chance that you
got all-zeros with a high-entropy bitstream or the null-password that
generated the same bitstream is all the same to the cipher. The amount
of entropy just lets us have an idea of how worthwhile it is to attack
the key.
> > As an example, if I got *really* unlucky and my high-entropy bitstream
> > happened to be all zeros, the data isn't encrypted any more securely than
> > if I had a really bad hash generator that only let me pick a single digit
> > between 0 and 9 as the bitstream. It makes a great deal of difference to
> > an attacker that is thinking about trying to brute-force me. 2^X vs. 10.
>
> No. If you have an key with entropy 128 bits and it happens to be all
> zeros (this has then probability 2^{-128}), this will be nothing the
> attacker can take advantage of. An all-zeros sequence will be just as
> likely to occur as the sequence I gave you above in the line with "key
> =". Yet, brute-force key search may of course start at an all-zeros key,
> yet it could as well start with 580687838abb0ae8ad77a8192c6fc6be.
> Entropy is not about a given key. It is about the size of the set of
> possibilities this key has been chosen from.
Would your answer change with my clarification, above?
The 10-in-2^128 chance vs. 10-in-10 is for guessing the correct key.
The data isn't written any differently regardless of the key.
Another ridiculous example to make my point would be if I generated
10 different high-entropy keys and use one of them. Cipher and key
are very secure, and it would be a waste of time to brute-force it. If
I told you all 10 keys that I considered, it is suddenly trivially easy.
To get back to the main point, the cipher-encrypted data isn't any more
or less secure if you look at the cipher aspect alone. It is the key
that is important, and the difficulty perceived in brute-forcing it.
>> In my original email, above, I'm protecting a key (key2, with a
>> good range of input) with encryption, that is decoded by another key
>> (key1, with a smaller range of input). If I knew I had decrypted key2
>> correctly with key1 then I would have a weakest-link situation. If I
>> don't know, then an incorrect key2 complicates the hell out of finding
>> the correct cipher key. It may not magnify it, but I doubt if it helps
>> to eliminates anything.
>
> Yes, is does not help, but it is still moot. That is because you can be
> in the following two cases:
>
> a.) Your encrypted second key is accessible by the attacker.
> b.) It is not.
Yup. And if it isn't, it is perceived as being a lot more difficult.
I could lie and say that my password as 100 characters long and it is
suddenly more secure (if you believe me). You can't just look at the
key and know how much entropy went into it (as far as I know).
>> It may not contribute a whole lot to the security, but if key2 is
>> disposed of the pulling-fingernails approach won't work for decryption. (:
>
> How can you? If you throw away key2, then you are no longer able to
> decrypt the data yourself. And an attacker, not believing you, may still
> pull your fingernails while slowly asking the question "Where do you
> have it?" again and again (repeat 10 times).
Nope, I can't. Maybe I'm a good little spy and don't want the secrets
to fall into the wrong hands. Maybe I'm a bad little cracker and the
feds have just knocked down the front door (and I have backups, protected
by a different key, etc). Anyway, the data is suddenly very secure,
even from myself.
Not much I can do about the fingernails, either way. (:
> Bottomline: Choose a passphrase that has at least 64 bits of entropy and
> you should be as secure as you need to be.
Presumably a good rule of thumb.
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
