Security Basics mailing list archives
Re: Crypto Question
From: Francisco Andrades <fandrades () nextj com>
Date: Fri, 07 Nov 2003 15:10:36 -0400
McGill, Lachlan wrote:
Am I right in assuming that an encrypted file/email is only as secure as the passphrase used for the private key? i.e. If i use the passphrase 'password' then does it become irrelevant what key size I use to encrypt the data?
That depends on the scheme you are trying to implement. When you use PBE (Password Based Encryption) the password you enter is used as a fixed parameter for generating a random symmetric key. If you repeat the same process using the same password and the same algorithm (most implementations use also a random padding and an iteration count) you will always get the same "random" symmetric key.
When choosing the algorithm to use you can also choose the length of the generated key. You have then three variables that define how strong is your encryption scheme:
1.- The length of the generated symmetric key. 2.- The selected algorithm 3.- The selected passwordIf the length of the symmetric key is really small then it can be brute forced. If the algorithm selected is weak then it can be brute forced. If you leave a copy of your password on a post-it note on your monitor then your data is as good as plain text.
Your data is only as secure as the weakest component on your security schema. A strong password but small key size is as good as a semi-weak password (no dictionary) and good key size.
-- Francisco Andrades Grassi www.nextj.com Tlf: +58-414-125-7415 --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Crypto Question McGill, Lachlan (Nov 07)
- Re: Crypto Question Ted Rolle (Nov 07)
- Re: Crypto Question Ted Rolle (Nov 07)
- Re: Crypto Question John Borwick (Nov 07)
- Re: Crypto Question Francisco Andrades (Nov 07)
- Re: Crypto Question Francisco Andrades (Nov 07)
- Re: Crypto Question Wu Fei Liang (Nov 07)
- Re: Crypto Question Adam Newhard (Nov 07)
- Re: Crypto Question Tomas Wolf (Nov 10)
- Re: Crypto Question Philip Duldig (Nov 11)
- Re: Crypto Question Mitchell Rowton (Nov 17)
- Re: Crypto Question Florian Streck (Nov 17)
- <Possible follow-ups>
- RE: Crypto Question Hagen, Eric (Nov 07)
- RE: Crypto Question Hagen, Eric (Nov 07)
- Re: Crypto Question N407ER (Nov 17)
- RE: Crypto Question Kenneth Buchanan (Nov 07)
(Thread continues...)