Xref: utzoo sci.crypt:1432 comp.unix.wizards:13742 news.sysadmin:2008 Path: utzoo!attcan!uunet!husc6!uwvax!rutgers!bellcore!ka9q.bellcore.com!karn From: karn@ka9q.bellcore.com (Phil Karn) Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin Subject: Re: Yet Another useful paper Message-ID: <13022@bellcore.bellcore.com> Date: 28 Dec 88 21:13:16 GMT References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <12750@bellcore.bellcore.com> <1988Dec26.151208.19016@ziebmef.uucp> Sender: news@bellcore.bellcore.com Reply-To: karn@ka9q.bellcore.com (Phil Karn) Organization: Home for Burned-out Hackers Lines: 37 >> I'd also like to see a standard "key crunching" >> algorithm for transforming a password (or phrase) longer than 8 characters >> into a 56-bit DES key. > But what will this accomplish is the password file is readable and the >encrpytion method (key crunching and all) public? A lot. The point is that to be maximally effective, the UNIX password algorithm should be given keys with 56 bits of entropy. That is, the distribution of actual user keys should be uniformly distributed over all 2^56 possible values. Present attacks on encrypted UNIX passwords are so successful only because the actual passwords people use are clustered in a tiny portion of this key space, and it is easily searched by brute force. However, a truly uniform key distribution would virtually defeat this for anyone but the NSA. Now this can be done in two ways: by having people use passwords that resemble either "(X4Hj12@", or "The wolf ate the duck whole.". The first is eight random characters (actually, only printing ASCII characters were chosen here, making the entropy more like 52 bits instead of 56). The second is an English sentence of 28 characters. According to Shannon's figure of 2 bits/letter for the entropy of English, this sentence has 56 bits of entropy. But which password is a human user more likely to remember? That's the whole point behind key crunching. By itself, this is not enough since people are likely to object to having to type repeatedly such long passwords. The answer to that problem is a good authentication scheme that would allow you to give your password only once (when logging in to your "home" computer) which would then enable your system to authenticate you to the other systems you use regularly on the network. As much as people like to bash rsh/rlogin as insecure, you must admit that it may actually enhance security if the alternative was to require people to enter their passwords so frequently that they choose short, simple ones to simplify typing. Phil