Re: [PATCH/KERNELI] Util-linux 3des update
On Fri, 22 Sep 2000, Sandy Harris wrote:
> Gisle S{lensminde wrote:
>
> No. Adding data the attacker knows cannot make the attack harder to any
> significant extent. At best, it might increase attack overheads by some
> small factor. What you need for security are things that cost little or
> nothing for legitmate users but increase attack difficulty exponentially.
>
> Yes it does. If the passphrase entropy is 100 bits, the best brute
> force attack is to try all 2^100 possibilities. If it is 200 bits,
> or 500, the best brute force attack is to ignore the passphrase
> and try the 2^160 possible outputs from the first hash. There is
> no case where you have to try all 2^192 possible 3DES keys against
> this scheme.
>
The scheme goes as follows, where || is used as concatenation, M is the
passphrase and MD is ripemd160. A substring of H will be used for key.
H1 = MD( M )
H2 = MD( A || M)
H = H1 || H2
This scheme is not simply a hash of the hash, and it should not simply be
adding data, as far as I can judge. Is this wrong? However, the main point
is to make the data unpredictable for the attacker. Predictable data in
the last DES subkey would probably open up for certain attacks.
I think we can agree that the weakest point in passphrase-based system
like this one is to short/bad passphrases. I tried to say that users never
types in 160 bit or more of real entropy. I would in fact guess that 40
bits is a better estimate for typical entropy in passphrases. The most
successfull attack against this scheme is probably a dictionary attack.
If I got you right, you don't mean that that the scheme introduce any
weaknesses?
--
Gisle Sælensminde ( [EMAIL PROTECTED] )
With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going
to land, and it could be dangerous sitting under them as they fly
overhead. (from RFC 1925)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH/KERNELI] Util-linux 3des update
On Fri, 22 Sep 2000, Alexander S A Kjeldaas wrote: > On Fri, Sep 22, 2000 at 11:46:02AM +0200, Gisle Sælensminde wrote: > > > > Since des_ede3(3des) now is added to the international kernel, it will > > probably be a good idea to add support for it in losetup, so here is > > a patch to the kerneli version of util-linux-2.10m / kerneli 2.2.17.3 > > > > Since this is crypto-related the patch is found at the URL: > > > > ftp://ftp.ii.uib.no/pub/gisle/kerneli/patch.util-linux.3des > > > > > > DES_EDE3 needs bytes of key data, but ripemd160 used as hash the > > passphrase only provides 20 bytes of key data. To get 24 bytes of key > > data, the an uppercase 'A' is concatenated with the passphrase, and this > > string is hashed to get another 20 bytes of key data. Similar methods is > > used in SSL and SSH to get the session keys from the key exchange. > > > > Just curious. Do you know whether this strengthens security at all? I > would guess that the security can not be better than if we used > RIPE-MD320 to hash the passphrase, and that hash is considered to have > the same security as RIPE-MD160. The scheme don't limit the entropy of the key to 160 bits if the passpharse has more entropy than that, so the scheme should be suitable. Keylength of 160 bit is anyway a large margin for this kind of use. A drawback by changing hash is that people will no longer be able to mount their encrypted disks with the new version of losetup. This version is a pure extensions to be able to use algorithms with more than 160 bit keysize. It will probably be a bad idea to break compatibility when no significant security improvment can be archieved. I'm almost certain that nobody have passphrases with more than 160 bits of real entropy. I don't think that the overall security for the system will increse, neither with this patch nor with a change to ripemd-320. Of that reason I prefere compatibility unless ripemd-160 should be broken some time in the future. > > I also changed the code to allow all ciphers to use the same code for > > key generation, but everything is kept compatible. > > > > Looks sane. Merged it and updated the util-linux patch to 2.10o. > -- Gisle Sælensminde ( [EMAIL PROTECTED] ) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. (from RFC 1925) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] Please read the FAQ at http://www.tux.org/lkml/
[PATCH/KERNELI] Util-linux 3des update
Since des_ede3(3des) now is added to the international kernel, it will probably be a good idea to add support for it in losetup, so here is a patch to the kerneli version of util-linux-2.10m / kerneli 2.2.17.3 Since this is crypto-related the patch is found at the URL: ftp://ftp.ii.uib.no/pub/gisle/kerneli/patch.util-linux.3des DES_EDE3 needs bytes of key data, but ripemd160 used as hash the passphrase only provides 20 bytes of key data. To get 24 bytes of key data, the an uppercase 'A' is concatenated with the passphrase, and this string is hashed to get another 20 bytes of key data. Similar methods is used in SSL and SSH to get the session keys from the key exchange. I also changed the code to allow all ciphers to use the same code for key generation, but everything is kept compatible. -- Gisle Sælensminde ( [EMAIL PROTECTED] ) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. (from RFC 1925) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] Please read the FAQ at http://www.tux.org/lkml/
[PATCH/KERNELI] Util-linux 3des update
Since des_ede3(3des) now is added to the international kernel, it will probably be a good idea to add support for it in losetup, so here is a patch to the kerneli version of util-linux-2.10m / kerneli 2.2.17.3 Since this is crypto-related the patch is found at the URL: ftp://ftp.ii.uib.no/pub/gisle/kerneli/patch.util-linux.3des DES_EDE3 needs bytes of key data, but ripemd160 used as hash the passphrase only provides 20 bytes of key data. To get 24 bytes of key data, the an uppercase 'A' is concatenated with the passphrase, and this string is hashed to get another 20 bytes of key data. Similar methods is used in SSL and SSH to get the session keys from the key exchange. I also changed the code to allow all ciphers to use the same code for key generation, but everything is kept compatible. -- Gisle Sælensminde ( [EMAIL PROTECTED] ) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. (from RFC 1925) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH/KERNELI] Util-linux 3des update
On Fri, 22 Sep 2000, Alexander S A Kjeldaas wrote: On Fri, Sep 22, 2000 at 11:46:02AM +0200, Gisle Sælensminde wrote: Since des_ede3(3des) now is added to the international kernel, it will probably be a good idea to add support for it in losetup, so here is a patch to the kerneli version of util-linux-2.10m / kerneli 2.2.17.3 Since this is crypto-related the patch is found at the URL: ftp://ftp.ii.uib.no/pub/gisle/kerneli/patch.util-linux.3des DES_EDE3 needs bytes of key data, but ripemd160 used as hash the passphrase only provides 20 bytes of key data. To get 24 bytes of key data, the an uppercase 'A' is concatenated with the passphrase, and this string is hashed to get another 20 bytes of key data. Similar methods is used in SSL and SSH to get the session keys from the key exchange. Just curious. Do you know whether this strengthens security at all? I would guess that the security can not be better than if we used RIPE-MD320 to hash the passphrase, and that hash is considered to have the same security as RIPE-MD160. The scheme don't limit the entropy of the key to 160 bits if the passpharse has more entropy than that, so the scheme should be suitable. Keylength of 160 bit is anyway a large margin for this kind of use. A drawback by changing hash is that people will no longer be able to mount their encrypted disks with the new version of losetup. This version is a pure extensions to be able to use algorithms with more than 160 bit keysize. It will probably be a bad idea to break compatibility when no significant security improvment can be archieved. I'm almost certain that nobody have passphrases with more than 160 bits of real entropy. I don't think that the overall security for the system will increse, neither with this patch nor with a change to ripemd-320. Of that reason I prefere compatibility unless ripemd-160 should be broken some time in the future. I also changed the code to allow all ciphers to use the same code for key generation, but everything is kept compatible. Looks sane. Merged it and updated the util-linux patch to 2.10o. -- Gisle Sælensminde ( [EMAIL PROTECTED] ) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. (from RFC 1925) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH/KERNELI] Util-linux 3des update
On Fri, 22 Sep 2000, Sandy Harris wrote:
Gisle S{lensminde wrote:
No. Adding data the attacker knows cannot make the attack harder to any
significant extent. At best, it might increase attack overheads by some
small factor. What you need for security are things that cost little or
nothing for legitmate users but increase attack difficulty exponentially.
snip
Yes it does. If the passphrase entropy is 100 bits, the best brute
force attack is to try all 2^100 possibilities. If it is 200 bits,
or 500, the best brute force attack is to ignore the passphrase
and try the 2^160 possible outputs from the first hash. There is
no case where you have to try all 2^192 possible 3DES keys against
this scheme.
The scheme goes as follows, where || is used as concatenation, M is the
passphrase and MD is ripemd160. A substring of H will be used for key.
H1 = MD( M )
H2 = MD( A || M)
H = H1 || H2
This scheme is not simply a hash of the hash, and it should not simply be
adding data, as far as I can judge. Is this wrong? However, the main point
is to make the data unpredictable for the attacker. Predictable data in
the last DES subkey would probably open up for certain attacks.
I think we can agree that the weakest point in passphrase-based system
like this one is to short/bad passphrases. I tried to say that users never
types in 160 bit or more of real entropy. I would in fact guess that 40
bits is a better estimate for typical entropy in passphrases. The most
successfull attack against this scheme is probably a dictionary attack.
If I got you right, you don't mean that that the scheme introduce any
weaknesses?
--
Gisle Sælensminde ( [EMAIL PROTECTED] )
With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going
to land, and it could be dangerous sitting under them as they fly
overhead. (from RFC 1925)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
