PDA

View Full Version : [all variants] newbie encryption question



imT
June 8th, 2008, 01:31 PM
Dose the password length compensate a less powerful algorithm ?
Let's say a 75 characters pass, would that make things as harder for the cracker than let's say a smaller pass with a better algorithm ?

tom66
June 8th, 2008, 01:37 PM
Well, a 75 character pass would be difficult to break, unless there turned out to be a 75 letter word in the English dictionary.

In general, a longer pass is more secure, but introducing symbols, numbers and making it somewhat obscure would be better. A short six letter password like "$9Kn%L" is more secure than "nicetoast". (Don't use these passwords, they've been publicly documented now)

datajack
June 8th, 2008, 01:54 PM
Dose the password length compensate a less powerful algorithm ?
Let's say a 75 characters pass, would that make things as harder for the cracker than let's say a smaller pass with a better algorithm ?

As in almost all things, the answer is 'it depends on how it is being used'.

In practice, though, for most useful encryption schemes, the answer is no. In most non-trivial encryption systems, your password is not actually used to encrypt the data. Instead an encryption key is generated to protect the data and your password is used to scramble or create this key. (This is what it means when you see things like 1024 and 2048 bit length keys - longer keys are typically harder to crack but need much more cpu power to encrypt/decrypt) Depending on the system in use, an attacker may have access to this scrambled copy of the encryption key and sometimes not.

If they can access the scrambled key, then they can attempt to attack your password which will leave them with a large number of likely incorrect keys to try as (usually) there is no easy way of knowing if you have the right key until you try and decrypt the data. Their other option is to ignore your password and try and deduce the key directly. In cryptosystems that are known to be 'weak', it has been shown to be likely possible to do this within a reasonable time-scale and budget.

chewearn
June 8th, 2008, 02:03 PM
Dose the password length compensate a less powerful algorithm ?
Let's say a 75 characters pass, would that make things as harder for the cracker than let's say a smaller pass with a better algorithm ?

A longer password will be harder to crack, but up a point, limited by the encryption strength.

From my (rather limited) knowledge, most encryption algorithm does not actually use the supplied password to encrypt. Instead, it generates a key (random number) for the encryption.

The strength of the key depends on the algorithm itself. An 32-bit encryption will therefore have 2^32 keys, which in a modern computer is easily cracked. 64-bit will take longer, but not impossibly long.

The key is hashed to the password supplied by the user. If you supply a weak password, the cracker will be able find the key from the hash by brute force.

However, if you supply a password which is longer than the key, the cracker will brute force the key itself. The longer passwrod will be redundant, since you can get the same hash for more than one password.

Hope I'm not wrong with my explanation.

.

tom66
June 8th, 2008, 02:09 PM
A longer password will be harder to crack, but up a point, limited by the encryption strength.

From my (rather limited) knowledge, most encryption algorithm does not actually use the supplied password to encrypt. Instead, it generates a key (random number) for the encryption.

The strength of the key depends on the algorithm itself. An 32-bit encryption will therefore have 2^32 keys, which in a modern computer is easily cracked. 64-bit will take longer, but not impossibly long.

distributed.net took 4 years to crack a 64-bit key. Not too much of a danger there, considering most keys are 128-bits.

Monicker
June 8th, 2008, 02:14 PM
distributed.net took 4 years to crack a 64-bit key. Not too much of a danger there, considering most keys are 128-bits.

The implementation and algorithm are still extremely important, regardless of key size. WEP is a good example of this. You only need to gather a certain amount of wireless traffic encrypted via WEP in order to obtain the key. With tools like aircrack-ng you can do this in under 5 minutes, even for a 128 bit WEP key.

imT
June 8th, 2008, 03:03 PM
i see, thanks,
so what about the encfs paranoia mode, is that good or i need to go expert and learn more about encryption ?

Monicker
June 9th, 2008, 03:24 PM
i see, thanks,
so what about the encfs paranoia mode, is that good or i need to go expert and learn more about encryption ?

That I do not know. I took a brief look at the encfs web site, but did not see many of what specific algorithms it supports. I also did some brief searching but could not find any peer reviews of the encfs implementation.

petrocc
June 9th, 2008, 03:29 PM
i see, thanks,
so what about the encfs paranoia mode, is that good or i need to go expert and learn more about encryption ?

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=pd_bbs_2?ie=UTF8&s=books&qid=1213021651&sr=8-2

the_doc
June 9th, 2008, 04:23 PM
The algorithm is extremely important, a weak algorithm will undermine an encryption system regardless of the key length. Attackers would use the weakness to compromise the system and thereby get access to traffic/data with the size of the actual key/pw making little difference.

ukripper
June 9th, 2008, 04:32 PM
if this question is regarding Wireless lan then it is highly recommended you use WPA/WPA2
WPA2 with AES encryption is very hard to crack.

WEP is useless to use and easily cracked using kismet

imT
June 9th, 2008, 06:14 PM
according to man:

Paranoia mode uses the following settings:
Cipher: AES
Key Size: 256 bits
Filesystem Block Size: 512 bytes
Filename Encoding: Block encoding with IV chaining
Unique initialization vector file headers
Message Authentication Code block headers
External IV Chaining
is it safe to be used with a 53 character pass, i use the app ParolaPass (http://ubuntuforums.org/showthread.php?t=299823) for the password generating ?

it's not about wireless encryption, it's about disk/file encryption mainly with ecfs.

the_doc
June 9th, 2008, 06:22 PM
The AES cipher is a tried and tested one and a 53 character password is longer than most, I reckon it'll be more than enough.

ukripper
June 9th, 2008, 06:25 PM
AES algorithm is quiet strong enough for disk encryption and would also require long password. I would use atleast 20 characters