On Thu, Sep 15, 2011 at 06:08:46PM +0200, Sven Eschenberg wrote: > Hi Arno, [...] > >> Best approach of course would be to determine the entropy of the > >> keyfile/passphrase, compare it to the requested keylength (and mode) and > > > > In practice this is infeasible, see example above. > > Coming back to the example, I suggested *calculating* the entropy instead > of a char count. I was thinking of good old Mr. Shannon there. That should > give a feasible measurement of the passphrase quality. Of course this > cannot take into account attacks based on dictionaries... Does not work, as you cannot have a good source model. Shannon entropy assumes a source without memory, i.e. emitted symbols are independent. In practice you combine not independent symbols (bits) into symbols large enough to get a reasonable approximation of that. The approximation quality is very much dependent on the application however. (Trust me, I did a PhD on entropy estimation ;-) In my example, I give you two source models: 1. single-character (byte) model for emglish, with 1.5...2.5 bit/char of entropy. This model is easy to implement but potentially hugely inaccurate, see examnple. 2. Whole passprase as 1 symbol model. This one is accurate, but cannot be implemented as a table that can neiter be generated nor stored would be needed. The best approximation I can come up with for this is to google the passphrase (with outer quotes). That would still be pretty bad and tell google and your web-browser and potential proxies your passphrase. There are more models, but all that are implementable have rather bad failure possibilities or are hugely expensive in terms of time and space. Many are both. See also FAQ entry on selecting Passphrases, especally the Harry Potter example. > > > >> then decide what to do: Reject, compensate by key stretching, Accept. > > > > You basically can only accept and hope the user knows what they do. > > Of course in a perfect world, we could hope for users knowing what they > are doing ;-). Salting helps. Iteraton helps. But testing passphrase quality is only possible in an one-sided way, i.e. you can recognize some bad ones, but you can not recognize good ones. Sorry, for burting this bubble. Your apporach is intuitive and if it could be implemented it would be the way to go, but it cannot be implemented well. The only two safe approaches are 1. Assume the passphrase may be low-entropy. Offer the best possible security for that. This is what LUKS does. If the user messes up, there is still some securit level. 2. Assme the passphrase is high-entropy and warn the user accordingly. This is the plain dm-crypt approach. If the user messes up, security is gone. n the plus side this is easy to implement, does not need any metadata and is fast. Both approaches have their place. LUKS does a pretty good job for novices. Still, understanding passphrases is required for a secure selection. I have described both approaches in the cryptsetup FAQ in detail. Anybody that wanst to can find out how to do it right. Those that do not care will never have real security anyways. See also http://xkcd.com/936/ Probably will add that to the FAQ as well. Note that the second example uses a word-entropy model and requires the words to be random. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
