[dm-crypt] request for zulucrypt to be mentioned in cryptsetup main page.
arno at wagner.name
Fri Sep 16 01:03:03 CEST 2011
On Thu, Sep 15, 2011 at 06:08:46PM +0200, Sven Eschenberg wrote:
> Hi Arno,
> >> Best approach of course would be to determine the entropy of the
> >> keyfile/passphrase, compare it to the requested keylength (and mode) and
> > In practice this is infeasible, see example above.
> Coming back to the example, I suggested *calculating* the entropy instead
> of a char count. I was thinking of good old Mr. Shannon there. That should
> give a feasible measurement of the passphrase quality. Of course this
> cannot take into account attacks based on dictionaries...
Does not work, as you cannot have a good source model. Shannon
entropy assumes a source without memory, i.e. emitted symbols
are independent. In practice you combine not independent symbols
(bits) into symbols large enough to get a reasonable approximation
of that. The approximation quality is very much dependent on
the application however. (Trust me, I did a PhD on entropy
In my example, I give you two source models:
1. single-character (byte) model for emglish, with 1.5...2.5 bit/char
of entropy. This model is easy to implement but potentially hugely
inaccurate, see examnple.
2. Whole passprase as 1 symbol model. This one is accurate, but
cannot be implemented as a table that can neiter be generated
nor stored would be needed. The best approximation I can
come up with for this is to google the passphrase (with outer
quotes). That would still be pretty bad and tell google
and your web-browser and potential proxies your passphrase.
There are more models, but all that are implementable have
rather bad failure possibilities or are hugely expensive in
terms of time and space. Many are both.
See also FAQ entry on selecting Passphrases, especally the
Harry Potter example.
> >> then decide what to do: Reject, compensate by key stretching, Accept.
> > You basically can only accept and hope the user knows what they do.
> Of course in a perfect world, we could hope for users knowing what they
> are doing ;-).
Salting helps. Iteraton helps. But testing passphrase quality
is only possible in an one-sided way, i.e. you can recognize
some bad ones, but you can not recognize good ones.
Sorry, for burting this bubble. Your apporach is intuitive and
if it could be implemented it would be the way to go, but it cannot
be implemented well. The only two safe approaches are
1. Assume the passphrase may be low-entropy. Offer the best possible
security for that. This is what LUKS does. If the user messes
up, there is still some securit level.
2. Assme the passphrase is high-entropy and warn the user accordingly.
This is the plain dm-crypt approach. If the user messes up,
security is gone. n the plus side this is easy to implement,
does not need any metadata and is fast.
Both approaches have their place. LUKS does a pretty good
job for novices. Still, understanding passphrases is required
for a secure selection.
I have described both approaches in the cryptsetup FAQ in detail.
Anybody that wanst to can find out how to do it right. Those
that do not care will never have real security anyways.
See also http://xkcd.com/936/ Probably will add that to the FAQ
as well. Note that the second example uses a word-entropy model
and requires the words to be random.
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt