Re: Product request - Enterprise whole disk encryption for laptops

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Sat, 15 Jul 2006 11:59:14 EDT, Dave Koontz said:

> FREE CompuSec was recently mentioned on one of my other lists.  Does anyone
> have any experience with this product?  It seems pretty feature rich for
> free, although it seems it is limited to AES 128 encryption rather than AES
> 256?

The first thing to do is to figure out if AES128 is sufficient for what
you're trying to protect.  Quite likely it is - even the 128-bit variant
is still going to take several million CPU-years to brute-force break.  So any weakness
will be in the key management (as usual).  And those vulnerabilities are
likely shared across the free and pay versions.

Of course, the pay version may have *other* worthwhile features, such as
better checking for strong passphrases.

And keep this in mind everybody - you can be using bazillion-bit crypto,
but if that passphrase has only 40 bits of entropy, it's still 40-bit crypto.

1: Standard English only has about 2.2 bits of entropy per character.
2: The standard 96 printables have 3.5 bits *max*.

Moral 1: There is no way to create a 16-character password from the set
of 96 printables that is *effectively* any stronger than single-DES.

Moral 2:  To get actual 128 bit strength, you either need a passphrase at
least 36 characters long, or start including control-alt-meta-cokebottle
characters in the passphrase.

These need to be *seriously* considered when contemplating desktop/laptop
encryption - I've seen all too many sites totally fail to understand this...

Don't blame me, blame Shannon. I'm just the messenger here. :)

Attachment: _bin
Description: