At 5:32 PM 6/20/96, Deranged Mutant wrote:
On 20 Jun 96 at 10:29, Adam Shostack wrote in cypherpunks@toad.com:
Not to defend the safemail folks, but this does remind me of something that NeXT did with Eliptic curve based systems; there was no storage of the private key, it was generated from the passphrase at run time. It was a side discussion, maybe with Andrew Lorenstien? Andrew?
Daniel R. Oelke wrote:
The HKS archives are still down, but a while back on the coderpunks list was an interestng idea about hashing a passphrase to seed a crypto PRNG and used the first good set of primes etc. for a secret and private key pair. Only the private key is saved in such a case.
I haven't seen this particular idea, but a general point to always bear in mind is that "entropy doesn't increase" (despite what you may have heard about that other kind of entropy....). To wit, if there are N bits of entropy in a passphrase (or whatever is the basic key, be it typed in, read from a floppy, whatever), then no amount of deterministic crunching by a PRNG (or whatever) will increase this. (I say "deterministic" in the sense that all parties presumably need to run the same PRNG and get the same output from the same "seed" (= passphrase, in this scheme). Thus, the PRNG cannot add additional randomness or entropy. Unless I am misunderstanding the proposal...) So, if the passphrase is 22 characters, as in the "Safemail" proposal (such as it is), that's all that can be gotten. Period. There just aren't enough "places" in the space of starting points. Anyone with access to the algorithms used to process the 22 characters (154 bits if 7 bits are used for each character) can brute force search the space in a relatively short time. (If the later processing algorithms are supposed to be "secret," then of course this a cryptographic faux pas of the first magnitude, usually dismissed as "security through obscurity.") By the way, amongst other defects, "Safemail" is a pretty bad name for a company, being that RSA Data Security has or had a product called "MailSafe." (The same thing happened with the Web search tool made by "Architext." There was a Macintosh hypertext program with the same name, which I bought in 1990. Someone I knew who worked for Architext was confused by my denunciation of Architext....such name collisions make for interesting situations.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Timothy C. May wrote:
I haven't seen this particular idea, but a general point to always bear in mind is that "entropy doesn't increase" (despite what you may have heard about that other kind of entropy....).
To wit, if there are N bits of entropy in a passphrase (or whatever is the basic key, be it typed in, read from a floppy, whatever), then no amount of deterministic crunching by a PRNG (or whatever) will increase this.
(I say "deterministic" in the sense that all parties presumably need to run the same PRNG and get the same output from the same "seed" (= passphrase, in this scheme). Thus, the PRNG cannot add additional randomness or entropy. Unless I am misunderstanding the proposal...)
So, if the passphrase is 22 characters, as in the "Safemail" proposal (such as it is), that's all that can be gotten. Period. There just aren't enough "places" in the space of starting points. Anyone with access to the algorithms used to process the 22 characters (154 bits if 7 bits are used for each character) can brute force search the space in a relatively short time. (If the later processing algorithms are supposed to be "secret," then of course this a cryptographic faux pas of the first magnitude, usually dismissed as "security through obscurity.")
Generally agreed, but I would like to mention a couple of points. I would argue that 154 bits of entropy is enough, but then I would also argue that a 22 character passphrase is unlikely to generate these 154 bits of entropy. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland <gary@systemics.com> Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06
participants (2)
-
Gary Howland -
tcmay@got.net