CERBERUS

Vulnerabilities Threats Countermeasures

Document Security

FIPS PUB 140-1
DOD 5220.22-M
NCSC TG-25
FIPS PUB 81
FIPS PUB 180-1
DOD 5200.28-STD

INFOSEC
Cryptosystems
Passphrases
Windows® Leaks
System Settings

QUESTIONS?

The strength of a high-grade cryptosystem's cipher precludes practical cryptanalytic attacks. However, localizing your keying information to a small-enough part of the keyspace would offer an attacker the possibility of only having to search a manageable part of that space, in order to hit the correct key value. Such clues to changing the keyspace probability distribution, from one that is uniform to one that is highly "peaked," are the basis of modern code-breaking.

Avoiding presenting an adversary with such clues is the basis of your security. Aside from rubber-hose cryptanalysis (finding yourself in a basement, assisting some large gentlemen with their inquiries), the most successful way for an adversary to obtain such clues is by social engineering your likely passphrases from other clues.

NOTE: Our masterkey generation algorithm requires the sum total of the number of characters in your name and the number of characters in your passphrase to be not less than 20, nor more than 126 characters. The high redundancy of English text (so beloved by cryptanalysts seeking non-uniform distributions with which to crack codes) typically yields only 1.3 bits of entropy per character in a literary phrase. Consequently, the 20 character minimum is really not contributing more than 36 bits of keying entropy, even though the SHA-1 algorithm spreads them throughout the keyspace. Passphrases of from 15 to 30 characters work well for many people in balancing security versus the need to flawlessly type into a dialog box that has been "blinded" to prevent shoulder surfers from seeing your passphrase as you enter it. A 30-character literary phrase will provide approximately 39 bits of entropy which, combined with the 10 bits from our master key computation, yields an encryption-breaking DES workfactor of log₂3 + 49 = 50.6 bits.

VULNERABILITIES

The reason for using passphrases is the avoidance of ever recording un-encrypted keying information, to prevent its compromise. (Few people can memorize 24-byte hexadecimal numbers.) Consequently, mnemonic devices are needed to avoid your ever recording your passphrase.

However, just because you haven't left it on a Post-It® note stuck to your monitor, doesn't mean that a clever adversary couldn't use those very mnemonic devices to successfully deduce your passphrase (or at least reduce the required length of the automated dictionary attack s/he may run on it).

Therefore, the means you employ to choose your passphrase (preferably of 15-to-30 characters) is of extreme importance to your data's security.

Knowledgeable adversaries (like the French intelligence service that targeted Texas Instruments) will target the weakest part of your INFOSEC, not the strongest.

For instance, unplugging your disk and connecting it to a cable on their lap-top allows disk surfing, regardless of password programs or other obstacles to them running their scanning software on your computer. If time doesn't permit, they can just steal the hard drive out of your machine.

If they can get it past your physical security, stealing the entire computer will leave you wondering if it was data theft, or simple burglary of a saleable machine. (If the data was the latest geological evaluation of an oil field or gold mine, or your company's too-high-by-one-dollar bid for a big contract, you'd not wonder for long.)

Such adversaries are well-versed in the too-clever mnemonic tricks continually reinvented by amateurs, most of whom use them with easily guessed roots.

Technical people typing numerical values (such as Pi or Euler's constant) with the upper-case shift key depressed are particularly weak targets. So are people typing obvious phrases with the keys adjacent to those for the actual characters.

YOUR CHOICE

Using the sentence on a professional reference book's line and page keyed to a memorable number does require an attacker (and you) to have physical copies of the book available. This may be difficult for lap-top "road warriors," whose INFOSEC needs are often greater than those of people in secure, book-laden facilities.

NOTE: It can, however, be an acceptable technique for secure passphrase exchange with another user of our cryptosystems who has the same book, provided that the communication doesn't give adversaries clues to which book you're both using. This protocol is, after all, just a variation on the primitive theme of book codes.

On the other hand, rooting your phrases in the context of your (truly) private life can make them totally obscure for attackers working in the context of your work life, while easily remembered by you. (However, your family's names, your favorite sports team or other so-called "private" information available to your co-workers are worse than useless. They're most any knowledgeable attacker's starting point.)

NOTE: Our software cryptosystems take the 160-bit SHA-1 digest of your passphrase and spread those bits over a 168-bit key by repeated triple-DES CBC encryptions. They use the digest as the key, and perform 333 passes, plus however many more are needed to pass the weak/semi-weak key tests. This increases the time required for each passphrase trial by 1000 triple-DES encryptions. Even if reverse-engineering yielded the exact form of the algorithm, this substantially increases the work factor for a dictionary attack. That is why your personal security must be factored into your plans, to discourage adversaries from choosing an easier attack by rubber hose cryptanalysis.

Unless you're an accomplished amateur poet, generating memorable phrases not found in published literature will be a challenge. If your passphrase is easy to reproduce, your adversaries may; if you can't reproduce it, your data is as secure from you as from them. Only you can choose well against your adversaries.

If some of the words in a passphrase are restricted to those that will "go well" with the others, that reduces the scope of a required dictionary attack. If you randomly choose each word, instead, your "secret" will be a nonsense-phrase that is still memorable, but harder to guess. If each word is independently selected by randomly addressing a list of 4096 words, each word adds 12 bits of entropy to the "phrase," regardless of wordlength. A typical English phrase contributes only 1.3 bits of entropy from each character. Thus, four 12-bit-addressed words would yield 48 bits, versus 39 bits for a 30-character literary phrase. The added entropy of our master key computation would then give those four words an encryption-breaking DES workfactor of log₂3 + 58 bits.

Arnold Reinhold's DiceWare web-site includes a list of 8,192 words for use with his dice-rolling method of random addressing, producing 13 bits of entropy per word.

The Professional versions of our software cryptosystems include a pseudo-random passphrase generator. It incorporates a dictionary of 16,384 5-to-10-character words (average length 7.4 characters), selected with pseudo-random addresses generated by our ANSI X9.17 keystream generator. One of its four-word nonsense-phrases contributes 56 bits of entropy. Our masterkey computation's 1000 recursive 3DES encryptions of the phrase's SHA-1 hash yields a DES workfactor of almost 68 bits.

SHARED SECRET KEY SHARES

The Professional versions of our software cryptosystems give you the optional capability to Create key share diskettes for emergency access without knowledge of your passphrase. If you keep two key share diskettes in separate secure locations, they will provide an emergency access if you forget your passphrase.

NOTE: The 24-byte master key is used as the vertical intercept of a line with slope equal to an ANSI X9.17-generated 24-byte number. Each key share is a point on that line, so that any two of them can be combined to regenerate the master key. Knowledge of any one of them conveys zero information about the master key. Only two such shared secret key shares created at the same time will work, however. Obviously, they will only work until you change your passphrase, generating a different master key.

However, the real purpose of this feature is to allow you to encrypt data which you have an obligation to preserve for others, in the event of your incapacity or death. For instance, you could provide your wife, your accountant and your attorney with single shares, so any two of them could recover encrypted information in such an event. If the data belonged to your employer, you could give one share, each to your immediate supervisor, to the director of personnel and to the corporate attorney.