Re: mlock(1)

From: Jack Lloyd
Date: Mon Oct 04 2004 - 07:23:51 EST

Next message: Paolo Ciarrocchi: "Re: [PATCH] AES x86-64-asm impl."
Previous message: Jari Ruusu: "Re: [PATCH] AES x86-64-asm impl."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 30, 2004 at 07:42:44PM +0200, Andrea Arcangeli wrote:
> >
> > Actually, better solution probably is to encrypt 32-bit zero.
> >
> > Then, you have 1:2^32 probability of accepting wrong password, still
> > if you try to brute-force it, you'll find many possible passwords.
>
> this is just the first step an attacker needs to rule out all the
> impossible passwords and extend the crack to the other known bits. I
> don't think it's secure. My suggestion OTOH sounds completely secure
> (though much harder to implement).

PGP actually uses a similiar techinique (80 bits of randomness, with bytes 9+10
being repeats of 7+8) to check for bad decrypts. With 16 bits of checksum, the
attacker only is able to eliminate about (2^16-1)/2^16 of the keys, which seems
like a lot, but only reduces the keylength by 16 bits. If you're using
reasonably sized keys (>=128 bits) that's not a problem because the remaining
keyspace is still much larger than the set of likely passphrases (even quite
good passphrases rarely get over 80 or 90 bits of entropy).

-Jack
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paolo Ciarrocchi: "Re: [PATCH] AES x86-64-asm impl."
Previous message: Jari Ruusu: "Re: [PATCH] AES x86-64-asm impl."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]