|
Server : Apache/2.4.62 System : FreeBSD fbsdweb2.web.rcn.net 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64 User : www ( 80) PHP Version : 8.3.8 Disable Function : NONE Directory : /domains/ap.belleisle/INFOSEC/tutorial/ |
Upload File : |
<HTML> <HEAD> <TITLE>Passphrases</TITLE> <META NAME="description" CONTENT="Cerberus Systems, Inc. develops, manufactures and markets Windows� cryptosystems designed to meet or exceed level 1 of FIPS PUB 140-1 with DOD 5220.22-M disk data recovery countermeasures."> <META NAME="keywords" CONTENT="168-bit keys, access control, ANSI X9.17, computer security, confidentiality, crypto, cryptography, cryptographic, cryptology, cryptosystem, Data Encryption Standard, data security, DES, disk encryption, DOD 5200.28-STD, DOD 5220.22-M, encrypt, encryption, Federal Information Processing Standards, file encryption, FIPS, FIPS 46-2, FIPS 74, FIPS 81, FIPS 140-1, FIPS 180-1, FIPS 186, INFOSEC, integrity, key, NBS Special Publication 500-20, NCSC TG-25, passphrase, password, personal, privacy, private key, Secure Hash Standard, security, Security Requirements for Cryptographic Modules, security software, sensitive-but-unclassified, sensitive information, SHA, SHA1, SHS, software, standards, triple-DES, Windows�."> </HEAD> <BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#009966" ALINK="#FF0000" VLINK="#009966"> <BASEFONT SIZE=2 FACE="Arial,Helv,Helvetica"> <TABLE ALIGN=LEFT BORDER=0 CELLSPACING=0 CELLBORDER=0 CELLPADDING=12 WIDTH=640> <TR> <!-- LEFT MARGIN STRIP --> <TD BGCOLOR="#336666" ALIGN=CENTER VALIGN=TOP> <FONT SIZE=1> <a href="../../default.htm"><IMG SRC="../images/web_icon.gif" ALT="CERBERUS HOME ICON" WIDTH=72 HEIGHT=72 BORDER=0 VSPACE=2><br><b><i>CERBERUS</i></b></a> <P><a href="../index.htm""><IMG SRC="../images/needs.gif" ALT="THE NEED" WIDTH=90 HEIGHT=30 BORDER=0></a><br> <a href="../privacy.htm">Vulnerabilities</a> <a href="../threats.htm">Threats</a> <a href="../forensic.htm">Countermeasures</a> <P><a href="../products/index.htm""><IMG SRC="../images/products.gif" ALT="PRODUCTS" WIDTH=90 HEIGHT=30 BORDER=0></a><br> <a href="../products/docusec.htm">Document Security</a> <P><a href="../stds/index.htm"><IMG SRC="../images/standard.gif" ALT="STANDARDS" WIDTH=90 HEIGHT=30 BORDER=0></a><br> <a href="../stds/fip140-1.htm">FIPS PUB 140-1</a><br> <a href="../stds/sanitize.htm">DOD 5220.22-M</a><br> <a href="../stds/ncsctg25.htm">NCSC TG-25</a> <br> <a href="../stds/fip81.htm">FIPS PUB 81</a> <br> <a href="../stds/fip180-1.htm">FIPS PUB 180-1</a><br> <a href="../stds/d520028.htm">DOD 5200.28-STD</a><br> <P><a href="index.htm"><IMG SRC="../images/tutorial.gif" ALT="TUTORIALS" WIDTH=90 HEIGHT=30 BORDER=0></a><br> <a href="winfosec.htm">INFOSEC</a><br> <a href="keys.htm">Cryptosystems</a><br> <a href="phrases.htm"><FONT COLOR="#00CC99">Passphrases</FONT></a><br> <a href="leaks.htm">Windows� Leaks</a><br> <a href="system.htm">System Settings</a> <P><a href="../download/index.htm"><IMG SRC="../images/download.gif" ALT="DOWNLOADS" WIDTH=90 HEIGHT=30 BORDER=0></a><br> <P><HR WIDTH=84> <P><a href="mailto:[email protected]">QUESTIONS? <br><IMG SRC="../images/email2.gif" ALT="E-MAIL" WIDTH=61 HEIGHT=31 BORDER=0></a><br> <P><br><IMG SRC="../images/amex_ok.gif" ALT="AMEX WELCOME" WIDTH=51 HEIGHT=68 BORDER=0> </FONT> </TD> <!-- END LEFT MARGIN STRIP --> <!-- MAIN SECTION --> <TD ALIGN=LEFT VALIGN=TOP> <!-- Title Bar --> <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH=500> <TR><TD> <!-- Right-justified Logotype --> <TABLE ALIGN=RIGHT BORDER=0 CELLSPACING=0 CELLPADDING=0> <TR><TD><FONT COLOR="#006633" SIZE=3><B><I>CERBERUS <FONT SIZE=1>SYSTEMS, INC.</FONT></I></B></FONT></TD></TR><TR><TD ALIGN=CENTER><FONT COLOR="#999933" SIZE=1><B><I> <!--forensic software countermeasures--> <!--INFORMATION SECURITY TOOLS--> <!--INFOSEC for Personal Computers--> <!--INFOSEC Products for Windows®--> <!--INFOSEC Tools for PCs & Laptops--> <!--personal information security tools--> Windows®-compatible encryption </I></B></FONT></TD></TR> </TABLE> <!-- End Logotype --> </TD></TR> <TR ALIGN=CENTER><TD WIDTH=490> <!-- Centered Page-Title --> <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=10> <TR><TD ALIGN=CENTER><FONT COLOR="#CC3300" SIZE=4><B> <!-- Title Text--> PASSPHRASES <!-- End Title Text --> </B></FONT></TD></TR> </TABLE> <!-- End Page-Title --> </TD></TR></TABLE> <!-- End Title Bar --> <!-- Content --> <FONT SIZE=2> <P>The strength of a high-grade cryptosystem's cipher precludes practical cryptanalytic attacks. However, localizing your keying information to a small-enough part of the keyspace would offer an attacker the possibility of only having to search a manageable part of that space, in order to hit the correct key value. Such clues to changing the keyspace probability distribution, from one that is uniform to one that is highly "peaked," are the basis of modern code-breaking. <P>Avoiding presenting an adversary with such clues is the basis of your security. Aside from <i>rubber-hose cryptanalysis</i> (finding yourself in a basement, assisting some large gentlemen with their inquiries), the most successful way for an adversary to obtain such clues is by <i>social engineering</i> your likely passphrases from other clues. <BLOCKQUOTE><FONT SIZE=1 COLOR="#006633"> <B>NOTE:</B> Our masterkey generation algorithm requires the sum total of the number of characters in your name and the number of characters in your passphrase to be not less than 20, nor more than 126 characters. The high redundancy of English text (so beloved by cryptanalysts seeking non-uniform distributions with which to crack codes) typically yields only 1.3 bits of entropy per character in a literary phrase. Consequently, the 20 character minimum is really not contributing more than 36 bits of keying entropy, even though the SHA-1 algorithm spreads them throughout the keyspace. Passphrases of from 15 to 30 characters work well for many people in balancing security versus the need to flawlessly type into a dialog box that has been "blinded" to prevent <i>shoulder surfers</i> from seeing your passphrase as you enter it. A 30-character literary phrase will provide approximately 39 bits of entropy which, combined with the 10 bits from our master key computation, yields an encryption-breaking DES workfactor of log<sub>2</sub>3 + 49 = 50.6 bits. </FONT></BLOCKQUOTE> <P><HR SIZE=1 WIDTH=50% ALIGN=CENTER> <P ALIGN=CENTER><FONT COLOR="#006633"><b>VULNERABILITIES</b></FONT> <P>The reason for using passphrases is the avoidance of ever recording un-encrypted keying information, to prevent its compromise. (Few people can memorize 24-byte hexadecimal numbers.) Consequently, mnemonic devices are needed to avoid your ever recording your passphrase. <P>However, just because you haven't left it on a Post-It� note stuck to your monitor, doesn't mean that a clever adversary couldn't use those very mnemonic devices to successfully deduce your passphrase (or at least reduce the required length of the automated <i>dictionary attack</i> s/he may run on it). <P>Therefore, the means you employ to choose your passphrase (preferably of 15-to-30 characters) is of extreme importance to your data's security. <P>Knowledgeable adversaries (like the French intelligence service that targeted Texas Instruments) will target the <i>weakest</i> part of your INFOSEC, not the strongest. <P>For instance, unplugging your disk and connecting it to a cable on their lap-top allows <i>disk surfing,</i> regardless of password programs or other obstacles to them running their scanning software on<i> your</i> computer. If time doesn't permit, they can just steal the hard drive out of your machine. <P>If they can get it past your physical security, stealing the entire computer will leave you wondering if it was data theft, or simple burglary of a saleable machine. (If the data was the latest geological evaluation of an oil field or gold mine, or your company's too-high-by-one-dollar bid for a big contract, you'd not wonder for long.) <P>Such adversaries are well-versed in the too-clever mnemonic tricks continually reinvented by amateurs, most of whom use them with easily guessed roots. <P>Technical people typing numerical values (such as Pi or Euler's constant) with the upper-case shift key depressed are particularly weak targets. So are people typing obvious phrases with the keys adjacent to those for the actual characters. <P><HR SIZE=1 WIDTH=50% ALIGN=CENTER> <P ALIGN=CENTER><FONT COLOR="#006633"><b>YOUR CHOICE</b></FONT> <P>Using the sentence on a professional reference book's line and page keyed to a memorable number does require an attacker (and you) to have physical copies of the book available. This may be difficult for lap-top "road warriors," whose INFOSEC needs are often greater than those of people in secure, book-laden facilities. <BLOCKQUOTE><FONT SIZE=1 COLOR="#006633"> <B>NOTE:</B> It can, however, be an acceptable technique for secure passphrase exchange with another user of our cryptosystems who has the same book, provided that the communication doesn't give adversaries clues to <i>which</i> book you're both using. This <i>protocol</i> is, after all, just a variation on the primitive theme of <i>book codes.</i> </FONT></BLOCKQUOTE> <P>On the other hand, rooting your phrases in the context of your (truly) <i>private life</i> can make them totally obscure for attackers working in the context of your <i>work life,</i> while easily remembered by you. (However, your family's names, your favorite sports team or other so-called "private" information available to your co-workers are worse than useless. They're most any knowledgeable attacker's starting point.) <BLOCKQUOTE><FONT SIZE=1 COLOR="#006633"> <B>NOTE:</B> Our software cryptosystems take the 160-bit SHA-1 digest of your passphrase and spread those bits over a 168-bit key by repeated triple-DES CBC encryptions. They use the digest as the key, and perform 333 passes, plus however many more are needed to pass the weak/semi-weak key tests. This increases the time required for each passphrase trial by 1000 triple-DES encryptions. Even if reverse-engineering yielded the exact form of the algorithm, this substantially increases the work factor for a dictionary attack. That is why your personal security must be factored into your plans, to discourage adversaries from choosing an easier attack by <i>rubber hose cryptanalysis.</i> </FONT></BLOCKQUOTE> <P>Unless you're an accomplished amateur poet, generating memorable phrases not found in published literature will be a challenge. If your passphrase is easy to reproduce, your adversaries may; if you can't reproduce it, your data is as secure from you as from them. Only <i>you</i> can choose well against <i>your</i> adversaries. <P>If some of the words in a passphrase are restricted to those that will "go well" with the others, that reduces the scope of a required dictionary attack. If you randomly choose each word, instead, your "secret" will be a nonsense-phrase that is still memorable, but harder to guess. If each word is independently selected by randomly addressing a list of 4096 words, each word adds 12 bits of entropy to the "phrase," regardless of wordlength. A typical English phrase contributes only 1.3 bits of entropy from each character. Thus, four 12-bit-addressed words would yield 48 bits, versus 39 bits for a 30-character literary phrase. The added entropy of our master key computation would then give those four words an encryption-breaking DES workfactor of log<sub>2</sub>3 + 58 bits. <P>Arnold Reinhold's <a href="http://world.std.com/~reinhold/diceware.html"><u><i>DiceWare</i></u></a> web-site includes a list of 8,192 words for use with his dice-rolling method of random addressing, producing 13 bits of entropy per word. <P>The Professional versions of our software cryptosystems include a pseudo-random passphrase generator. It incorporates a dictionary of 16,384 5-to-10-character words (average length 7.4 characters), selected with pseudo-random addresses generated by our ANSI X9.17 keystream generator. One of its four-word nonsense-phrases contributes 56 bits of entropy. Our masterkey computation's 1000 recursive 3DES encryptions of the phrase's SHA-1 hash yields a DES workfactor of almost 68 bits. <P><HR SIZE=1 WIDTH=50% ALIGN=CENTER> <P ALIGN=CENTER><FONT COLOR="#006633"><b><i>SHARED SECRET</i> KEY SHARES</b></FONT> <P>The Professional versions of our software cryptosystems give you the optional capability to <i>Create key share diskettes</i> for emergency access without knowledge of your passphrase. If you keep two key share diskettes <i>in separate secure locations,</i> they will provide an emergency access if you forget your passphrase. <BLOCKQUOTE><FONT SIZE=1 COLOR="#006633"> <B>NOTE:</B> The 24-byte master key is used as the vertical intercept of a line with slope equal to an ANSI X9.17-generated 24-byte number. Each key share is a point on that line, so that any two of them can be combined to regenerate the master key. Knowledge of any one of them conveys <i>zero</i> information about the master key. Only two such <i>shared secret</i> key shares <i>created at the same time</i> will work, however. Obviously, they will only work until you change your passphrase, generating a different master key. </FONT></BLOCKQUOTE> <P>However, the real purpose of this feature is to allow you to encrypt data which you have an obligation to preserve for others, in the event of your incapacity or death. For instance, you could provide your wife, your accountant and your attorney with single shares, so any two of them could recover encrypted information in such an event. If the data belonged to your employer, you could give one share, each to your immediate supervisor, to the director of personnel and to the corporate attorney. <P><HR SIZE=1 WIDTH=50% ALIGN=CENTER> <P>Unfortunately, unless a cryptosystem is specifically designed with features to thwart it, <i>Windows© can leak your passphrase.</i> In fact, unless prevented, <i>Windows© can bypass encryption,</i> leaving leaked copies of your plaintext scattered on your disk.<a href="leaks.htm"><IMG SRC="../images/web_next.gif" BORDER=0></a> </FONT> <!-- End Content ---> <!-- Standard Footer ---> <CENTER> <P><BR> <FONT SIZE=2 COLOR="#006633"><B><i> Cerberus Systems, Inc. develops, manufactures and markets<BR> software cryptosystems designed to level 1 of FIPS PUB 140-1<BR> with DOD 5220.22-M disk data recovery countermeasures. </i></B></FONT> <P><HR SIZE=1> <FONT SIZE=1 COLOR="#CC3300"> The Cerberus logo and the <i>...Security Manager</i> product names are trademarks of Cerberus Systems, Inc.<BR> © Copyright 1997-99, all rights reserved. </FONT> <HR SIZE=1> </CENTER> <!--- End Standard Footer ---> </TD> <!-- END MAIN SECTION --> <!-- PADDING CELL --> <TD> <!-- right margin = 2 x cellpadding --> </TD> <!-- END PADDING CELL --> </TR> </TABLE> </BODY> </HTML>