1994-07-04 - Re: Password Difficulties

Header Data

From: smb@research.att.com
To: Hal <hfinney@shell.portal.com>
Message Hash: 283708bf75365624c76529501ecd64cab88bfa7488b85fede3535f8020063c01
Message ID: <9407040148.AA29983@toad.com>
Reply To: N/A
UTC Datetime: 1994-07-04 01:48:18 UTC
Raw Date: Sun, 3 Jul 94 18:48:18 PDT

Raw message

From: smb@research.att.com
Date: Sun, 3 Jul 94 18:48:18 PDT
To: Hal <hfinney@shell.portal.com>
Subject: Re: Password Difficulties
Message-ID: <9407040148.AA29983@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


	 I suspect that Kent is right that most pass phrases don't have
	 over 50 or 60 bits of entropy, far below the 128 bits of
	 protection that we like to think IDEA is giving us.

There's an interesting issue here:  is it feasible to construct an
enumeration based on the 50-60 bits of information?  If not, the
protection is rather stronger in a practical sense.  But if one can
generate a reasonably comprehensive enumeration, then an enemy who
can brute-force (say) a 56-bit key could attack a PGP keyring as well.

It should be more or less obvious to this group, but it bears repeating
anyway.  The number of possible keys sets an upper bound on the
difficulty of attacking a system; it says nothing about the lower bound.
(Proof:  a monoalphabetic substitution on English has 26! possible keys,
which is about 88 or 89 bits.  But solutions are extremely trivial.)
Passphrases aren't 128 bits -- but they may be quite strong nevertheless.





Thread