mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-14 01:32:11 +00:00
Correct information regarding symmetric keys
I forgot to add salt. Thanks u/RisenSteam.
This commit is contained in:
parent
ec667c9f3e
commit
56410531fe
2 changed files with 15 additions and 5 deletions
|
@ -30,10 +30,15 @@ A good measure of password strength is *entropy bits.* The entropy bits in a pas
|
||||||
|
|
||||||
A brute-force attack that executes 2ⁿ guesses is certain to crack a password with n entropy bits, and has a one-in-two chance of cracking a password with n+1 entropy bits.
|
A brute-force attack that executes 2ⁿ guesses is certain to crack a password with n entropy bits, and has a one-in-two chance of cracking a password with n+1 entropy bits.
|
||||||
|
|
||||||
For scale, AES 256 encryption is currently the industry standard for strong symmetric encryption. As the name suggests, its keys have 256 bits of entropy; if your password has more than 256 entropy bits, then the AES-256 encryption algorithm is the bottleneck.
|
For scale, AES 256 encryption is currently the industry standard for strong symmetric encryption.
|
||||||
|
|
||||||
=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard (Wikipedia)
|
=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard (Wikipedia)
|
||||||
|
|
||||||
|
As the name suggests, its keys have 256 bits of entropy. Be aware that AES keys are typically derived from key derivation functions that salt and hash passwords, so a brute-force attack to discover the password from an AES key would be against such a function. Perhaps I could address that in a future article.
|
||||||
|
|
||||||
|
=> https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (Wikipedia)
|
||||||
|
=> https://en.wikipedia.org/wiki/Salt_(cryptography) Salt (cryptography) (Wikipedia)
|
||||||
|
|
||||||
To calculate the entropy of a password, I recommend using a tool such as zxcvbn or KeePassXC.
|
To calculate the entropy of a password, I recommend using a tool such as zxcvbn or KeePassXC.
|
||||||
|
|
||||||
=> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler zxcvbn: Low-Budget Password Strength Estimation
|
=> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler zxcvbn: Low-Budget Password Strength Estimation
|
||||||
|
@ -272,7 +277,7 @@ A publication⁵ by Seth Lloyd from MIT further explores limits to computation s
|
||||||
|
|
||||||
## Acknowledgements
|
## Acknowledgements
|
||||||
|
|
||||||
Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach.
|
Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my reference to AES-256 encryption by bringing up salts.
|
||||||
|
|
||||||
My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the article.
|
My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the article.
|
||||||
|
|
||||||
|
|
|
@ -69,8 +69,12 @@ with *n*+1 entropy bits.
|
||||||
|
|
||||||
For scale, [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
|
For scale, [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
|
||||||
encryption is currently the industry standard for strong symmetric encryption. As the
|
encryption is currently the industry standard for strong symmetric encryption. As the
|
||||||
name suggests, its keys have 256 bits of entropy; if your password has more than 256
|
name suggests, its keys have 256 bits of entropy. Be aware that AES keys are
|
||||||
entropy bits, then the AES-256 encryption algorithm is the bottleneck.
|
typically derived from [key derivation
|
||||||
|
functions](https://en.wikipedia.org/wiki/Key_derivation_function) that
|
||||||
|
[salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) and hash passwords, so a
|
||||||
|
brute-force attack to discover the password from an AES key would be against such a
|
||||||
|
function. Perhaps I could address that in a future article.
|
||||||
|
|
||||||
To calculate the entropy of a password, I recommend using a tool such as
|
To calculate the entropy of a password, I recommend using a tool such as
|
||||||
[zxcvbn](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler)
|
[zxcvbn](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler)
|
||||||
|
@ -339,7 +343,8 @@ Acknowledgements
|
||||||
|
|
||||||
Thanks to [Barna Zsombor](http://bzsombor.web.elte.hu/) and [Ryan
|
Thanks to [Barna Zsombor](http://bzsombor.web.elte.hu/) and [Ryan
|
||||||
Coyler](https://rcolyer.net/) for helping me over IRC with my shaky physics and
|
Coyler](https://rcolyer.net/) for helping me over IRC with my shaky physics and
|
||||||
pointing out the caveats of my approach.
|
pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my
|
||||||
|
reference to AES-256 encryption by bringing up salts.
|
||||||
|
|
||||||
My notes from Thermal Physics weren't enough to write this; various Wikipedia
|
My notes from Thermal Physics weren't enough to write this; various Wikipedia
|
||||||
articles were also quite helpful, most of which were linked in the body of the
|
articles were also quite helpful, most of which were linked in the body of the
|
||||||
|
|
Loading…
Reference in a new issue