[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Monowall and Freeswan
 Date:  Wed, 9 Feb 2005 14:51:42 -0800 (PST) 
On Tue, 8 Feb 2005, Josh McAllister wrote:

> Sorry... but you're way off. You sound quite knowledgeable... perhaps
> just misguided. If you take A-Z,a-z,1-10,!-), plus other assorted
> symbols, you get > 72 possible char, but even @ 64 you'd still have a
> theoretical best of 6 bits of entropy. 

Emphasis on "theoretical best".  A set of N bits only has N bits of
entropy if all 2^N combinations are equally likely.  In the context of
"guessability", that doesn't simply mean that the cases are used with
equal frequency in general, but also that it's impossible to use *any*
other information to establish unequal probabilities of the cases.

> The 1 bit notion is over-quoted, and over-exaggerated. That is worst
> case scenario, which applies to (unfortunately too many) people who are
> too ignorant to realize that "lastname" or "emantsal" are not strong
> passwords. 

Just what part of "ordinary English text" was unclear?  The minute you
call it a "password", you invite such behavior.  Most typical
"passwords" can be cracked with a dictionary that has only 2400 entries.

Even when cracking something that may not *necessarily* be a "password" or
"passphrase", that possibility can be exploited simply by testing
"phraselike" cases first.

> If you used a random generator to generate a 20 char. password even with
> a limited char. set of 64 chars, you'd still get 6*20=120bits of

As I already explained.  Note that it doesn't make sense to use more than
64 characters if one is limited to printable US-ASCII, since the maximum
alphabet meeting that requirement has 94 characters, and that just isn't
worth it for an extra 0.55 bits/char.

> entropy. Real world numbers with a person selecting a "strong password"
> with mixed case/numbers/symbols would be somewhere in the middle.

Humans aren't very good at picking things randomly.  That's why shared
lottery jackpots aren't all that uncommon. :-)

There are algorithms for generating character strings that have
semi-decent per-character entropy while being sort of easy to remember,
but there's no reason to take that approach for something like an IPsec
PSK, which only needs to be entered at configuration time.

> Also, in the real world, it take much more than 1 ms per try to conduct
> any kind of man-in-the-middle / spoofing attack no matter how fast the
> perpetrator can calculate the combinations.

*Who's* being misguided?  Nothing of the sort is necessary, with the
"expensive" part being done completely offline after passively
eavesdropping on a single exchange.  In aggressive mode, the hash result
and the nonce are sent in the clear, and the hash function is known.  The
only thing necessary to test a candidate key is the hash computation,
which can easily be performed in under a millisecond.  As I already
explained, main mode improves on this by requiring the ephemeral DH key to
be cracked first.

There's a reason why Unix systems no longer make the hashed passwords
public.

> Just trying to stop the perpetuation of FUD.

Charity begins at home.

					Fred Wright