How Do Decryption Programs Know You've Entered the Wrong Passphrase?
in [Cryptography]
|
From: Maaartin on 25 May 2010 17:14 On May 25, 10:24 pm, "Datesfat Chicks" <datesfat.chi...(a)gmail.com> wrote: > "Maaartin" <grajc...(a)seznam.cz> wrote in message > >I don't see what advantage it should give you. You still need to store > >something and you need to do twice as much work (given the correct > >password), but the adversary needs to do only the first step. > > >Here is the description how Truecrypt verifies the key (no idea how > >PGP does it): > >http://www.truecrypt.org/docs/?s=encryption-scheme > >"Decryption is considered successful if the first 4 bytes of the > >decrypted data contain the ASCII string "TRUE", and if the CRC-32 > >checksum of the last 256 bytes of the decrypted data (volume header) > >matches the value located at byte #8 of the decrypted data..." > > This is essentially a variation on what I suggested with "0" bytes at the > start. Agreed. > The reason I was concerned about this is that it makes attacks cheaper. > Better to force an attacker to do a lot of work to figure out if they are > successful. > > For a legitimate user, they only need to tolerate the cost once, when they > try to mount the volume. But an attacker would have to tolerate it many > times. > > Seems to make a brute force attack easier. There are 1000 (or 2000) iterations of the hash function in the key derivation process in order to make it harder for the attacker. I saw a paper on memory intensive key strengthening, which counters parallel execution on cheap hardware (GPU, FPGA, ASIC, ...). You ignored my objection: I said that using one separate hash for verification gives you no advantage and lowers the ration of the attacker's work to the legitimate user's work.
From: Solbu on 25 May 2010 21:03 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Datesfat Chicks sent the following transmission through subspace: > how do they know it is the wrong passphrase In GNU/Linux, whch is what I use, the stored password is itself encryptet using oneway encryption scheme that cannot be reversed. (it cannot be decrypted, not even by the system.) When you enter a password, the string you entered is encrypted and compared to the stored encrypted string. If the two strings match, it is the correct password. - -- Solbu - http://www.solbu.net Remove '.ugyldig' for email PGP key ID: 0xFA687324 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFL/HNdT1rWTfpocyQRAj2bAJ9sZeCDQ5UlpCz6gt6VAE6bo1k2ywCffZe+ r2tKgaoNYedfSW7VsOI/14I= =BVYL -----END PGP SIGNATURE-----
From: Datesfat Chicks on 26 May 2010 09:24
"Maaartin" <grajcar1(a)seznam.cz> wrote in message news:725706e0-ec63-46a1-b4a1-f9daf49a85c9(a)e21g2000vbl.googlegroups.com... > >You ignored my objection: I said that using one separate hash for >verification gives you no advantage and lowers the ration of the >attacker's work to the legitimate user's work. That's because I agree with you. Datesfat |