Security Basics mailing list archives
Re: Good design for a Algorithmically Derived Passphrase for FDE (?!)
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 20 Nov 2007 17:27:20 +0100
On 2007-11-20 ManInWhite wrote:
Secondly: The algorithm used to derive the passphrase not stored with the laptop at all. The CODEwords which are used to derive the passphrase are not stored with the laptop. They both never leave the key generation PC.
So? The dictionary (or codebook as you call it) is part of your passphrase generation algorithm. If an attacker learns the algorithm he can reconstruct the passwords, because he knows the serial numbers from which the passwords are derived. To repeat myself: don't do that. Your security should *never* be based on the secrecy of your password generation algorithm, but only on the strength of the passwords.
Thirdly: The security of the system is not in keeping the algorithm secret.
Of course it is.
Ultimately all it is doing is generating offsets for lookup in a secret codebook. The Codebook is not stored with the laptop, and protected. The security is keeping this codebook secure.
See above. The codebook is part of your algorithm. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Arbogast, Paul (Citco) (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) David Gillett (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Pranav Lal (Nov 21)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ali, Saqib (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Eric White (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Muhammad Farooq-i-Azam (Nov 20)