From: smb@research.att.com
To: Hal <hfinney@shell.portal.com>
Message Hash: 283708bf75365624c76529501ecd64cab88bfa7488b85fede3535f8020063c01
Message ID: <9407040148.AA29983@toad.com>
Reply To: N/A
UTC Datetime: 1994-07-04 01:48:18 UTC
Raw Date: Sun, 3 Jul 94 18:48:18 PDT
From: smb@research.att.com
Date: Sun, 3 Jul 94 18:48:18 PDT
To: Hal <hfinney@shell.portal.com>
Subject: Re: Password Difficulties
Message-ID: <9407040148.AA29983@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
I suspect that Kent is right that most pass phrases don't have
over 50 or 60 bits of entropy, far below the 128 bits of
protection that we like to think IDEA is giving us.
There's an interesting issue here: is it feasible to construct an
enumeration based on the 50-60 bits of information? If not, the
protection is rather stronger in a practical sense. But if one can
generate a reasonably comprehensive enumeration, then an enemy who
can brute-force (say) a 56-bit key could attack a PGP keyring as well.
It should be more or less obvious to this group, but it bears repeating
anyway. The number of possible keys sets an upper bound on the
difficulty of attacking a system; it says nothing about the lower bound.
(Proof: a monoalphabetic substitution on English has 26! possible keys,
which is about 88 or 89 bits. But solutions are extremely trivial.)
Passphrases aren't 128 bits -- but they may be quite strong nevertheless.
Return to July 1994
Return to “smb@research.att.com”