On Wed, Nov 29, 2000 at 11:09:30AM -0800, John Kennedy wrote: > > In my original email, above, I'm protecting a key (key2, with a > good range of input) with encryption, that is decoded by another key > (key1, with a smaller range of input). If I knew I had decrypted key2 > correctly with key1 then I would have a weakest-link situation. If I > don't know, then an incorrect key2 complicates the hell out of finding > the correct cipher key. It may not magnify it, but I doubt if it helps > to eliminates anything. > Having a key encrypted by another key doesn't bother the attacker one bit. Consider the case where key1 has the same entropy as key2. The attacker can simply try all possible key1 combinations, and for each one, find the corresponding key2 key which is then used to decrypt the data. This requires 2x the time to brute-force, but that is comparable to having a single key with 1 bit more entropy. It is also such a low constant that using a cipher which require more time during key-setup will have the same, or greater, effect. However, having a key encrypted with another key can be very practical in many ways: o For instance if you create a random 256-bit key to use for your encrypted filesystem, you can encrypt this key with PGP. If you fear that your password might be compromized, you can change the password for your encrypted key without having to re-encrypt the whole dataset. o You can also use more advanced crypto-software such as letting N people know parts of a key and requiring that m out of N be agreeing to unlock the encrypted disk. o If you rarely need to decrypt your 256-bit key, you can physically store the weakly encrypted key somewhere else. A 256-bit key encrypted with another 10-bit enthropy key stored in a sufficiently secure vault isn't necessary a weak link. astor -- Alexander Kjeldaas Mail: astor@xxxxxxx finger astor@xxxxxxxxxxxxxxxxx for OpenPGP key. Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
