[ previous ] [ next ] [ threads ]
 
 From:  "Josh McAllister" <josh at bluehornet dot com>
 To:  "Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Monowall and Freeswan
 Date:  Wed, 9 Feb 2005 16:41:56 -0800
> On Tue, 8 Feb 2005, Josh McAllister wrote:
> 
> > Sorry... but you're way off. You sound quite knowledgeable...
perhaps
> > just misguided. If you take A-Z,a-z,1-10,!-), plus other assorted
> > symbols, you get > 72 possible char, but even @ 64 you'd still have
a
> > theoretical best of 6 bits of entropy.
> 
> Emphasis on "theoretical best".  A set of N bits only has N bits of
> entropy if all 2^N combinations are equally likely.  In the context of
> "guessability", that doesn't simply mean that the cases are used with
> equal frequency in general, but also that it's impossible to use *any*
> other information to establish unequal probabilities of the cases.

I intended that emphasis as well, which is why I stated that in the real
world, the entropy would be somewhere between what you suggest and the
theoretical best. We're clearly on the same page so far.
 
> > The 1 bit notion is over-quoted, and over-exaggerated. That is worst
> > case scenario, which applies to (unfortunately too many) people who
are
> > too ignorant to realize that "lastname" or "emantsal" are not strong
> > passwords.
> 
> Just what part of "ordinary English text" was unclear?  The minute you
> call it a "password", you invite such behavior.  Most typical
> "passwords" can be cracked with a dictionary that has only 2400
entries.

Let's not quibble over word choice, I used "password" (in quotes
initially as well) merely to indicate that it was not looking for a PEM
encoded key, or any such thing.

> Even when cracking something that may not *necessarily* be a
"password" or
> "passphrase", that possibility can be exploited simply by testing
> "phraselike" cases first.
> 
> > If you used a random generator to generate a 20 char. password even
with
> > a limited char. set of 64 chars, you'd still get 6*20=120bits of

Exactly why I said *STRONG* password/key/secrey/whatever. Any admin
whose gotten this far should (hopefully) know what the guidelines are.
Again clearly we're on the same page.

> As I already explained.  Note that it doesn't make sense to use more
than
> 64 characters if one is limited to printable US-ASCII, since the
maximum
> alphabet meeting that requirement has 94 characters, and that just
isn't
> worth it for an extra 0.55 bits/char.
> 
> > entropy. Real world numbers with a person selecting a "strong
password"
> > with mixed case/numbers/symbols would be somewhere in the middle.
> 
> Humans aren't very good at picking things randomly.  That's why shared
> lottery jackpots aren't all that uncommon. :-)

@l1mY3XesL!vEiNt3XaS OR as I stated one could use a random char
generator to produce a 20 char. printable key. Again, I KNOW the first
example is not going to give you 120 bits, but it's going to be much
closer to 120 than 20.

> 
> There are algorithms for generating character strings that have
> semi-decent per-character entropy while being sort of easy to
remember,
> but there's no reason to take that approach for something like an
IPsec
> PSK, which only needs to be entered at configuration time.

Agreed.

> > Also, in the real world, it take much more than 1 ms per try to
conduct
> > any kind of man-in-the-middle / spoofing attack no matter how fast
the
> > perpetrator can calculate the combinations.
> 
> *Who's* being misguided?  Nothing of the sort is necessary, with the
> "expensive" part being done completely offline after passively
> eavesdropping on a single exchange.  In aggressive mode, the hash
result
> and the nonce are sent in the clear, and the hash function is known.
The
> only thing necessary to test a candidate key is the hash computation,
> which can easily be performed in under a millisecond.  As I already
> explained, main mode improves on this by requiring the ephemeral DH
key to
> be cracked first.

My bad, I assumed that people for which security was a significant
concern would not waste time with aggressive mode. To me main mode is a
given. I was in fact referring to main mode.

> There's a reason why Unix systems no longer make the hashed passwords
> public.

Obviously.
 
> > Just trying to stop the perpetuation of FUD.
> 
> Charity begins at home.

I was merely pointing out that the notion of a 20 char key being cracked
in 1000 seconds was beyond ridiculous, **UNLESS** it was something like
"thisismypresharedkey" and the person was using aggressive mode.
Hopefully no one on this list is THAT stupid though.

Josh McAllister