[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security for under a buck fifty

To: Mike Johnson second login <[email protected]>
Subject: Re: Security for under a buck fifty
From: [email protected]
Date: Tue, 12 Jul 1994 13:23:09 -0700
Cc: [email protected]
Sender: [email protected]

At 9:42 AM 7/12/94, Mike Johnson second login wrote:
>>[[email protected] [me] wrote about generating pass phrases from
>>true random numbers, mapping into a character set, creating mnemonics.]
>
>I already do this -- except that I use a keystroke- timing program for
>the true random source, and I do the mnomonic generation with my brain
>instead of the program.  My program just converts the random numbers to
>uniformly distributed printable ASCII (values between space and del), for
>a little more entropy than 6 bits per character.

The tradeoff is between number of characters needed (length of passphrase)
and diversity of character set. I'd probably have better luck with the
mnemonic if I didn't have to fit in a whole string of %*$@!, but that
should probably be a user setting.

>A more automated way to generate a pass phrase might be to convert every
>16 bits of random numbers to one of 65536 words and names in your
>favorite languages.  That way, you would have real words to memorize, but
>in a strange order.  For example, a 128 bit key might be:
>tree elephant action roof xymurgy eight top slash.
>
>You could try to think of some story to link the 8 originally unrelated
>words together and help you to remember it.

Another possibility: have a dictionary of different parts of speech and
assemble them in order. For a short example, each passphrase could be in an
order such as:

Article adjective modifier noun verb article adjective modifier noun.

Our favorite would fit: The quick brown fox jumps over the very lazy dog.

This looses entropy (Mallet knows the order, and probably the dictionaries)
and so you would want either a longer sentence or some other modification,
like random--not decided by the person--capitalization or character
substitution. Or have two sentences: The quick brown fox jumps over the
very lazy dog; a lovely ermine glove fits into the hazy slumping bucket.

Figure thirteen bits each with dictionaries of ten thousand each
adjectives, modifiers, nouns, and verbs--your final dictionary would be 40
thousand words, total; you'd need about ten words to get 128 bits. Make
that two shorter--eight word--sentences, restricted to easy-to-remember
orderings, and you've more than made up for whatever entropy was lost in
having a known structure.

Umph. I think I need to start making time to write code, if I want to see
this work.

b&

--
[email protected], Arizona State University School of Music
 net.proselytizing (write for info): Protect your privacy; oppose Clipper.
 Voice concern over proposed Internet pricing schemes. Stamp out spamming.
 Finger [email protected] for PGP 2.3a public key.

Follow-Ups:
- Re: Security for under a buck fifty
  - From: Mike Johnson second login <[email protected]>

Prev by Date: sci.crypt archive ftp site
Next by Date: Re: Gov't eyes public-key infrastructure
Prev by thread: Re: Security for under a buck fifty
Next by thread: Re: Security for under a buck fifty
Index(es):
- Date
- Thread