Security Basics mailing list archives
RE: Good design for a Algorithmically Derived Passphrase for FDE (?!)
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 20 Nov 2007 11:06:54 -0800
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of ManInWhite Sent: Monday, November 19, 2007 1:11 PM
Secondly: The algorithm used to derive the passphrase not stored with the laptop at all. The CODEwords which are used to derive the passphrase are not stored with the laptop. They both never leave the key generation PC. Thirdly: The security of the system is not in keeping the algorithm secret. Ultimately all it is doing is generating offsets for lookup in a secret codebook. The Codebook is not stored with the laptop, and protected. The security is keeping this codebook secure. If the attacker was to somehow derive the numbers the algorithm produces it would be useless without the codebook. The laptop has no idea (45, 254, 12) means "alice walked with bob to town". Possession of the serial number or key generation algorithm would be effectively useless.
Let's see if I've correctly understood you. There is a codebook somewhere which maps "offsets" to passphrases. The algorithm you seek maps some identification of the laptop to an offset in the codebook. There are an arbitrary number of functions which will map the chosen identifiers to the correct offset, including looking up the identifiers in a table that maps them to offsets. Although the choice of algorithm for this step can dramatically affect *performance*, there is no other "security" difference between these functionally identical algorithms. Any algorithm that consistently maps each unique identifier input to a unique offset (this is the strong version of what a hash algorithm does...) will do. Knowledge of the algorithm would allow an attacker to determine the offset assigned to any given laptop; without access to the table those offsets reference, the offset is useless. So you might as well store the offset -- or some trivial equivalent! -- on the laptops and be done with it. David Gillett
Current thread:
- Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Arbogast, Paul (Citco) (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) David Gillett (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Pranav Lal (Nov 21)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Ali, Saqib (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) ManInWhite (Nov 20)
- RE: Good design for a Algorithmically Derived Passphrase for FDE (?!) Eric White (Nov 20)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Geoffrey Gowey (Nov 19)
- Re: Good design for a Algorithmically Derived Passphrase for FDE (?!) Muhammad Farooq-i-Azam (Nov 20)