DM-Crypt Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [dm-crypt] luksFormat Password Entropy
@ 2010-08-18 20:11 Michael Matczynski
  2010-08-19 13:54 ` Arno Wagner
  2010-08-19 14:28 ` Heinz Diehl
  0 siblings, 2 replies; 7+ messages in thread
From: Michael Matczynski @ 2010-08-18 20:11 UTC (permalink / raw)
  To: dm-crypt

For luksFormat, is there a difference in password strength between the
following two passwords?

1.) <256bitsecret>

2.) <256bitsecret> | base64

Does the use of PBKDF2 make the longer but less entropy password #2
equivalent to #1?

Thanks!
Mike


-- 
Michael Matczynski
e: mjm@alum.mit.edu
w: www.zingtech.com
w: www.catchwine.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dm-crypt] luksFormat Password Entropy
  2010-08-18 20:11 [dm-crypt] luksFormat Password Entropy Michael Matczynski
@ 2010-08-19 13:54 ` Arno Wagner
  2010-08-19 14:28 ` Heinz Diehl
  1 sibling, 0 replies; 7+ messages in thread
From: Arno Wagner @ 2010-08-19 13:54 UTC (permalink / raw)
  To: dm-crypt

Without looking at the details, the passphrase/password is 
basically hashed and hashing to concentrate entropy is 
something that works very well. 

So, no difference.

Incidentially, while 2.) has less entropy per bit, it does not
have less entropy per symbol (the whole password). If you
just say "entropy", in crypto that usually means the entropy of
the whole password/passphrase as it is perceived as one "symbol".

Confusing, I know and the respective communities all think
the usage is clear. 

Arno



On Wed, Aug 18, 2010 at 04:11:51PM -0400, Michael Matczynski wrote:
> For luksFormat, is there a difference in password strength between the
> following two passwords?
> 
> 1.) <256bitsecret>
> 
> 2.) <256bitsecret> | base64
> 
> Does the use of PBKDF2 make the longer but less entropy password #2
> equivalent to #1?
> 
> Thanks!
> Mike
> 
> 
> -- 
> Michael Matczynski
> e: mjm@alum.mit.edu
> w: www.zingtech.com
> w: www.catchwine.com
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dm-crypt] luksFormat Password Entropy
  2010-08-18 20:11 [dm-crypt] luksFormat Password Entropy Michael Matczynski
  2010-08-19 13:54 ` Arno Wagner
@ 2010-08-19 14:28 ` Heinz Diehl
  2010-08-19 15:23   ` Heinz Diehl
  2010-08-19 18:35   ` Arno Wagner
  1 sibling, 2 replies; 7+ messages in thread
From: Heinz Diehl @ 2010-08-19 14:28 UTC (permalink / raw)
  To: dm-crypt

On 19.08.2010, Michael Matczynski wrote: 

> For luksFormat, is there a difference in password strength between the
> following two passwords?
 
> 1.) <256bitsecret>
> 
> 2.) <256bitsecret> | base64

Yes, if both passwords have the same length and you choose a password which 
is built upon a base of at least more than 64 different chars.

The password strength (entropy) is calculated this way,

 B = ((L * log P) / log 2)

where B is the entropy in bits, L is the length of the password, and P is
the amount of possible different chars (the "pool"). So if you choose base64, 
P will always be 64, and if you choose a password which e.g. includes A-Za-z0-9
og random chars as %!"/(] (and so on), P will be higher, thus resulting in
a higher strength of the overall password. As long as you choose a
password with P > 64, it will be stronger.

There are P^N different passwords.

> Does the use of PBKDF2 make the longer but less entropy password #2
> equivalent to #1?

If the hash used in PBKDF2 is not flawed or broken: yes.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dm-crypt] luksFormat Password Entropy
  2010-08-19 14:28 ` Heinz Diehl
@ 2010-08-19 15:23   ` Heinz Diehl
  2010-08-19 18:35   ` Arno Wagner
  1 sibling, 0 replies; 7+ messages in thread
From: Heinz Diehl @ 2010-08-19 15:23 UTC (permalink / raw)
  To: dm-crypt

On 19.08.2010, Heinz Diehl wrote: 

> There are P^N different passwords.

P^L, of course..

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dm-crypt] luksFormat Password Entropy
  2010-08-19 14:28 ` Heinz Diehl
  2010-08-19 15:23   ` Heinz Diehl
@ 2010-08-19 18:35   ` Arno Wagner
  2010-08-21  7:30     ` Heinz Diehl
  1 sibling, 1 reply; 7+ messages in thread
From: Arno Wagner @ 2010-08-19 18:35 UTC (permalink / raw)
  To: dm-crypt

On Thu, Aug 19, 2010 at 04:28:17PM +0200, Heinz Diehl wrote:
> On 19.08.2010, Michael Matczynski wrote: 
> 
> > For luksFormat, is there a difference in password strength between the
> > following two passwords?
>  
> > 1.) <256bitsecret>
> > 
> > 2.) <256bitsecret> | base64
> 
> Yes, if both passwords have the same length and you choose a 
> password which 
> is built upon a base of at least more than 64 different chars.

The latter is no needed. base64 is an Isomprphism and as such
does not change total string entropy, regardless of input.
And the crypto-hash just cares about the entropy, not ho
it is encoded.

> The password strength (entropy) is calculated this way,
> 
>  B = ((L * log P) / log 2)

Hmm. I have 

   B[bit] = L * b[bit]        // L symbols
and 
   b[bit] = log2(P)           // entropy/symbol, all symbols equally probable
i.e.
   B[bit] = L * log2(P) 
          = L * ln(P) / ln(2)

Ok, matches. Although I find B = L * log2(P) easier to remember.
   
> where B is the entropy in bits, L is the length of the password, 
> and P is the amount of possible different chars (the "pool"). 
> So if you choose base64, P will always be 64, 

No, actually, the input can restrict P to something smaller.
Your formula only holds for equally probable symbols, with
probabilitoes independent. Symbols that do not show up (or
do no show up in specific locations) are not equally probable 
anymore...

> and if you choose a password which e.g. includes A-Za-z0-9
> of random chars as %!"/(] (and so on), P will be higher, 
> thus resulting in a higher strength of the overall password. 
>
> As long as you choose a password with P > 64, it will be stronger.

Yes, but if you coose a password with higher P, it will
be stronger. Nothing special about P=64. 


Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dm-crypt] luksFormat Password Entropy
  2010-08-19 18:35   ` Arno Wagner
@ 2010-08-21  7:30     ` Heinz Diehl
  2010-08-21 17:41       ` Arno Wagner
  0 siblings, 1 reply; 7+ messages in thread
From: Heinz Diehl @ 2010-08-21  7:30 UTC (permalink / raw)
  To: dm-crypt

On 19.08.2010, Arno Wagner wrote: 

> > So if you choose base64, P will always be 64, 
 
> No, actually, the input can restrict P to something smaller.

I don't think you're right. If the input doesn't lead to the use of 
all of the chars available in base64, so does it "choose" from this pool 
anyway. P is the amount of possibly available chars and is unrelated 
to how many different ones out of this pool actually are used. To
bruteforce the password, you'll have to try all the 64 possibilities for
each position (ok, statistically you'll have to try 50% of the whole
headroom).

If you e.g. build a password which uses 5 numbers, P is 10 [0-9].
A password out of 5 capital letters, P = 26 [A-Z]. For each of the
positions ("slots") in the password, there are 10 different possibilities 
related to the first, and 26 to the second password.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [dm-crypt] luksFormat Password Entropy
  2010-08-21  7:30     ` Heinz Diehl
@ 2010-08-21 17:41       ` Arno Wagner
  0 siblings, 0 replies; 7+ messages in thread
From: Arno Wagner @ 2010-08-21 17:41 UTC (permalink / raw)
  To: dm-crypt

On Sat, Aug 21, 2010 at 09:30:25AM +0200, Heinz Diehl wrote:
> On 19.08.2010, Arno Wagner wrote: 
> 
> > > So if you choose base64, P will always be 64, 
>  
> > No, actually, the input can restrict P to something smaller.
> 
> I don't think you're right. If the input doesn't lead to the use of 
> all of the chars available in base64, so does it "choose" from this pool 
> anyway. P is the amount of possibly available chars and is unrelated 
> to how many different ones out of this pool actually are used. 

You entropy formula assumes equal propbability and independence 
between the positions. 

> To
> bruteforce the password, you'll have to try all the 64 possibilities for
> each position (ok, statistically you'll have to try 50% of the whole
> headroom).
> 
> If you e.g. build a password which uses 5 numbers, P is 10 [0-9].
> A password out of 5 capital letters, P = 26 [A-Z]. For each of the
> positions ("slots") in the password, there are 10 different possibilities 
> related to the first, and 26 to the second password.

Assume independendce and uniform distribution, you are right.
Hiowever with non-independence and/or nonuniformness, you
are wrong. Example:

String of 10 "0"/"1" randomly, entropy is 10 bit:
   "1001010010"

base64("1001010010"): 
    "MTAwMTAxMDAxMAo"

15 chars, 7 different ones, still 10 bit entropy. Why?
a) the positions are not independent anymore and b)
the chars have nonuniform distribution. The formula for
the entropy here is a bit more complicated...

To comne back to my original argument, P is also restiricted
to something smaller, in addition to you entropy formula being
invalid for the second form.

The thing to remember here is that 1:1 mappings (Isomorphisms)
do not change the entropy of the whole object. Examples are 
compression, decompressions, encryption, decryption, base64
encoding or decoding, ...

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2010-08-21 17:41 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-18 20:11 [dm-crypt] luksFormat Password Entropy Michael Matczynski
2010-08-19 13:54 ` Arno Wagner
2010-08-19 14:28 ` Heinz Diehl
2010-08-19 15:23   ` Heinz Diehl
2010-08-19 18:35   ` Arno Wagner
2010-08-21  7:30     ` Heinz Diehl
2010-08-21 17:41       ` Arno Wagner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox