Re: [dm-crypt] request for zulucrypt to be mentioned in cryptsetup main page.

[Arno Wagner <arno@wagner.name>]

On Thu, Sep 15, 2011 at 06:08:46PM +0200, Sven Eschenberg wrote:
> Hi Arno,
[...]
> >> Best approach of course would be to determine the entropy of the
> >> keyfile/passphrase, compare it to the requested keylength (and mode) and
> >
> > In practice this is infeasible, see example above.
> 
> Coming back to the example, I suggested *calculating* the entropy instead
> of a char count. I was thinking of good old Mr. Shannon there. That should
> give a feasible measurement of the passphrase quality. Of course this
> cannot take into account attacks based on dictionaries...

Does not work, as you cannot have a good source model. Shannon 
entropy assumes a source without memory, i.e. emitted symbols
are independent. In practice you combine not independent symbols 
(bits) into symbols large enough to get a reasonable approximation 
of that. The approximation quality is very much dependent on 
the application however. (Trust me, I did a PhD on entropy 
estimation ;-)

In my example, I give you two source models: 

1. single-character (byte) model for emglish, with 1.5...2.5 bit/char 
   of entropy. This model is easy to implement but potentially hugely  
   inaccurate, see examnple.
2. Whole passprase as 1 symbol model. This one is accurate, but
   cannot be implemented as a table that can neiter be generated
   nor stored would be needed. The best approximation I can
   come up with for this is to google the passphrase (with outer 
   quotes). That would still be pretty bad and tell google 
   and your web-browser and potential proxies your passphrase.

There are more models, but all that are implementable have
rather bad failure possibilities or are hugely expensive in
terms of time and space. Many are both.

See also FAQ entry on selecting Passphrases, especally the
Harry Potter example.

> >
> >> then decide what to do: Reject, compensate by key stretching, Accept.
> >
> > You basically can only accept and hope the user knows what they do.
> 
> Of course in a perfect world, we could hope for users knowing what they
> are doing ;-).

Salting helps. Iteraton helps. But testing passphrase quality
is only possible in an one-sided way, i.e. you can recognize
some bad ones, but you can not recognize good ones. 

Sorry, for burting this bubble. Your apporach is intuitive and
if it could be implemented it would be the way to go, but it cannot
be implemented well. The only two safe approaches are

1. Assume the passphrase may be low-entropy. Offer the best possible
   security for that. This is what LUKS does. If the user messes
   up, there is still some securit level.

2. Assme the passphrase is high-entropy and warn the user accordingly.
   This is the plain dm-crypt approach. If the user messes up,
   security is gone. n the plus side this is easy to implement,
   does not need any metadata and is fast.

Both approaches have their place. LUKS does a pretty good
job for novices. Still, understanding passphrases is required
for a secure selection. 

I have described both approaches in the cryptsetup FAQ in detail.
Anybody that wanst to can find out how to do it right. Those
that do not care will never have real security anyways.

See also http://xkcd.com/936/ Probably will add that to the FAQ
as well. Note that the second example uses a word-entropy model
and requires the words to be random. 

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier