Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Good design for a Algorithmically Derived Passphrase for FDE (?!)

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 20 Nov 2007 17:27:20 +0100
On 2007-11-20 ManInWhite wrote:

Secondly: The algorithm used to derive the passphrase not stored with
the laptop at all. The CODEwords which are used to derive the
passphrase are not stored with the laptop. They both never leave the
key generation PC.


So? The dictionary (or codebook as you call it) is part of your
passphrase generation algorithm. If an attacker learns the algorithm he
can reconstruct the passwords, because he knows the serial numbers from
which the passwords are derived. To repeat myself: don't do that.

Your security should *never* be based on the secrecy of your password
generation algorithm, but only on the strength of the passwords.


Thirdly: The security of the system is not in keeping the algorithm
secret.


Of course it is.


Ultimately all it is doing is generating offsets for lookup in a
secret codebook. The Codebook is not stored with the laptop, and
protected. The security is keeping this codebook secure.


See above. The codebook is part of your algorithm.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
Previous By Date Next
Previous By Thread Next

Current thread: