Xref: utzoo sci.crypt:1437 comp.unix.wizards:13755 news.sysadmin:2019
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ncar!tank!nucsrl!rufus!john
From: john@rufus.math.nwu.edu (John Franks  Dept. of Math.  Northwestern Univ.)
Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin
Subject: Password encryption
Message-ID: <614@rufus.math.nwu.edu>
Date: 29 Dec 88 19:10:10 GMT
References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <13022@bellcore.bellcore.com>
Organization: Dept. of Mathematics, Northwestern Univ.
Lines: 94

In article <13022@bellcore.bellcore.com>, karn@ka9q.bellcore.com (Phil Karn) writes:
> >>                          I'd also like to see a standard "key crunching"
> >> algorithm for transforming a password (or phrase) longer than 8 characters
> >> into a 56-bit DES key.
> 
> The point is that to be maximally effective, the UNIX password
> algorithm should be given keys with 56 bits of entropy. That is, the
> distribution of actual user keys should be uniformly distributed over
> all 2^56 possible values.
> 

I agree with this completely.  This is a much better solution than
a hidden passwd file.  

Also I don't believe that the two short words separated by  punc-
tuation  is  really very secure.  For most people this would be a
password of the form  "3-letter-word ? 4-letter-word",  (where  ?
is  a  punctuation  character) or  the same form with the 3 and 4
letter words switched.  My /usr/dict (SunOS 4.0) has 775 3-letter
words  and 2152 4-letter words.  If we say 20 punctuation charac-
ters, that gives a password space with 2*775*20*2152 = 66,712,000
possibilities.   If  1000 encryptions per second is possible then
the whole space can be done in something over 18 hours.

Question: Why are we limited to 56 bits?  Surely  not  for  effi-
ciency  or to save space.  This is an instance where we *want* to
be slow.  I've heard that NSA lobbied for smallish keys  in  com-
mercial  DES  rather than larger ones (the implication being they
wanted a  size they  could handle easily).  Does  anybody know if 
there is any truth to this?




























































-- 
John Franks 	Dept of Math. Northwestern University
		Internet	john@math.nwu.edu
		Bitnet		j_franks@nuacc