1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-14 01:32:11 +00:00

Correct information regarding symmetric keys

I forgot to add salt. Thanks u/RisenSteam.
This commit is contained in:
Rohan Kumar 2021-01-16 20:51:04 -08:00
parent ec667c9f3e
commit 56410531fe
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479
2 changed files with 15 additions and 5 deletions

View file

@ -30,10 +30,15 @@ A good measure of password strength is *entropy bits.* The entropy bits in a pas
A brute-force attack that executes 2ⁿ guesses is certain to crack a password with n entropy bits, and has a one-in-two chance of cracking a password with n+1 entropy bits. A brute-force attack that executes 2ⁿ guesses is certain to crack a password with n entropy bits, and has a one-in-two chance of cracking a password with n+1 entropy bits.
For scale, AES 256 encryption is currently the industry standard for strong symmetric encryption. As the name suggests, its keys have 256 bits of entropy; if your password has more than 256 entropy bits, then the AES-256 encryption algorithm is the bottleneck. For scale, AES 256 encryption is currently the industry standard for strong symmetric encryption.
=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard (Wikipedia) => https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard (Wikipedia)
As the name suggests, its keys have 256 bits of entropy. Be aware that AES keys are typically derived from key derivation functions that salt and hash passwords, so a brute-force attack to discover the password from an AES key would be against such a function. Perhaps I could address that in a future article.
=> https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (Wikipedia)
=> https://en.wikipedia.org/wiki/Salt_(cryptography) Salt (cryptography) (Wikipedia)
To calculate the entropy of a password, I recommend using a tool such as zxcvbn or KeePassXC. To calculate the entropy of a password, I recommend using a tool such as zxcvbn or KeePassXC.
=> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler zxcvbn: Low-Budget Password Strength Estimation => https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler zxcvbn: Low-Budget Password Strength Estimation
@ -272,7 +277,7 @@ A publication⁵ by Seth Lloyd from MIT further explores limits to computation s
## Acknowledgements ## Acknowledgements
Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach. Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my reference to AES-256 encryption by bringing up salts.
My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the article. My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the article.

View file

@ -69,8 +69,12 @@ with *n*+1 entropy bits.
For scale, [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) For scale, [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
encryption is currently the industry standard for strong symmetric encryption. As the encryption is currently the industry standard for strong symmetric encryption. As the
name suggests, its keys have 256 bits of entropy; if your password has more than 256 name suggests, its keys have 256 bits of entropy. Be aware that AES keys are
entropy bits, then the AES-256 encryption algorithm is the bottleneck. typically derived from [key derivation
functions](https://en.wikipedia.org/wiki/Key_derivation_function) that
[salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) and hash passwords, so a
brute-force attack to discover the password from an AES key would be against such a
function. Perhaps I could address that in a future article.
To calculate the entropy of a password, I recommend using a tool such as To calculate the entropy of a password, I recommend using a tool such as
[zxcvbn](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler) [zxcvbn](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler)
@ -339,7 +343,8 @@ Acknowledgements
Thanks to [Barna Zsombor](http://bzsombor.web.elte.hu/) and [Ryan Thanks to [Barna Zsombor](http://bzsombor.web.elte.hu/) and [Ryan
Coyler](https://rcolyer.net/) for helping me over IRC with my shaky physics and Coyler](https://rcolyer.net/) for helping me over IRC with my shaky physics and
pointing out the caveats of my approach. pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my
reference to AES-256 encryption by bringing up salts.
My notes from Thermal Physics weren't enough to write this; various Wikipedia My notes from Thermal Physics weren't enough to write this; various Wikipedia
articles were also quite helpful, most of which were linked in the body of the articles were also quite helpful, most of which were linked in the body of the