5

Can you explain this passage from Wikipedia?

When a password (or passphrase) is used as an encryption key, well-designed cryptosystems first run it through a key derivation function which adds a salt and compresses or expands it to the key length desired, for example by compressing a long phrase into a 128-bit value suitable for use in a block cipher.

A longer password is more secure (in terms of bruteforce attack) than a short one, isn'it?

If the password is "pass", what's the resulting key?

Surfer on the fall
  • 787
  • 3
  • 8
  • 17

2 Answers2

9

Cryptographic keys are usually fixed-length values. Unfortunately, humans can't remember long strings of numbers, so we use passwords instead.

For example, this might be your 256-bit key:

d4f6d068b4e8c4e924ce9b28585a6009672e56d61215e7d9251b5d36283edd5d

Not too easy to remember, is it?

However, the above was generated by computing a cryptographic hash (in this case SHA256) of the word "waffles", which is much easier to remember. A hash function takes an arbitrary length input, and computes a fixed length output.

In reality, we need key-derivation functions (KDFs) to have special properties. One desirable property is that it should be computationally infeasible to compute m from h, where h = KDF(m), i.e. it's difficult to compute the input of the function if you only know the output. Another desirable property is that the function is computationally expensive (slow) enough to make computing millions of keys infeasible, without degrading performance for legitimate uses. As such, special KDF schemes such as PBKDF2 and bcrypt are usually used to compute these cryptographic keys from easily remembered passwords.

The only practical way to break a key generated by an ideal strong key-derivation function is to guess likely passwords. If your password is "password", it's likely to be broken. If you password is a string of 20 random letters and numbers, it's much less likely to be guessed.

To address the question you ask at the end:

If the password is "pass", what's the resulting key?

This isn't really a question that makes much sense. The result could be anything. There are lots of different hash functions (MD5, SHA1, SHA256, SHA512, Whirlpool, RIPEMD160, etc) and many different key-derivation functions (PBKDF2, bcrypt, scrypt), which can use salts or HMAC. The possibilities are endless!

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Great answer. I forgot to say: what's the resulting key in the key generation process for AES with openssl? – Surfer on the fall Aug 21 '12 at 09:05
  • You mean the session key? It's randomly generated and exchanged using asymmetric crypto (public / private keys). No hashes or key derivation functions are involved in generating it. Passwords aren't used to create SSL connections. – Polynomial Aug 21 '12 at 09:10
  • Ehm, no. When I use, in PHP, openssl_encrypt ('mystring','aes128', 'mypass'), how the 128 bit resulting key is generated? Thank you :) – Surfer on the fall Aug 21 '12 at 09:14
  • A question: if I use a 1000chars salt in the passphrase, is the encryption significantly safer? – Surfer on the fall Aug 21 '12 at 09:21
  • 1
    That's not actually SSL, it's a generic data encryption function provided by the OpenSSL library. The key derivation function is implementation specific, so I can't tell you what it will be. It's likely configurable in your OpenSSL settings. – Polynomial Aug 21 '12 at 09:23
  • 1
    Salts don't make keys stronger. They make it infeasible to compute rainbow tables. See [How to store salt?](http://security.stackexchange.com/questions/17421/how-to-store-salt/) – Polynomial Aug 21 '12 at 09:24
  • Sure, but a longer salt makes the bruteforcing more infeasible, doesn't it? – Surfer on the fall Aug 21 '12 at 09:27
  • 1
    Not in the slightest. Computing `KDF('hello')` is almost exactly as fast as computing `KDF('3f8vH5n20H93@r...72$3.A0hello')`. – Polynomial Aug 21 '12 at 09:28
6

What the passage is saying is that the cryptosystem derive the key from a password.

For example, AES-256 uses a 256bit key. A (very) simple system might perform a SHA256 hash on your password as use the resulting 256bit output as the key for encryption.

All the usual caveats involving passwords apply - use bcrypt or pbkdf2 algorithms, use a salt etc. More information on proper password hashing can be found in the many questions already asked on the site. You might want to search the or tags.

A longer password is more secure (in terms of bruteforce attack) than a short one, isn't it?

Yes, a longer (and more random) password has more entropy and is thus more secure.

If the password is "pass", what's the resulting key?

This really depends on what hashing algorithm you are using.

  • Thanks, I'd want to know what is that process in openssl encryption. Are there any reference about that? – Surfer on the fall Aug 21 '12 at 08:51
  • @user1294101 just read through the documentation found on the openssl site. There is too much information to cover in a single question/answer. –  Aug 21 '12 at 08:54
  • Thanks, just a question: if I use a, for example, 1000chars salt in the passphrase, is the encryption significantly safer? – Surfer on the fall Aug 21 '12 at 09:21
  • @Surferonthefall No, adding salt only makes the use of rainbow tables impractical for an attacker. 1000 bytes provides no advantage over 8 bytes, which many consider adequate. – Terrel Shumway Sep 13 '13 at 20:43