12

Is it ever appropriate to use real-world passwords to encrypt files to be sent via unsecure means.

By real world, I mean a password that is memorable and memorisable by a mere person?

I am implying that in order to securely encrypt a file you must follow this guidance:

  • Use a long random password with enough bits of entropy to give a secure symmetric key.
  • Think carefully about data sensitivity relative to Moore's Law(i.e. what is the impact if this data is read in 10 years from now by the more advanced computers)
  • Think carefully about how to transmit the password to an authorized party (offline delivery of password)

In the light of this, I would suspect that asymmetric encryption of files are very much better in security terms than symmetric password encryption all other things being equal.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
Andrew Russell
  • 3,633
  • 1
  • 20
  • 29

5 Answers5

10

You are thinking of two things:

  • Kerckhoff's principle. The main idea is that the key needs to be the secret. If any part of your system requires the algorithm to remain unknown, your system is in deep trouble. The term for any system that requires the secrecy of the algorithm is "security by obscurity" and it is derided as terrible, because it is terrible. The national security agencies get away with it because they also ensured that even with classified hardware, Kerckhoff's principle still applies. This is why when John Walker started handing over code strips to the Soviets, they didn't have the hardware, so they convinced the North Koreans to seize the USS Pueblo. The NSA knew that the machinery seized would be worthless without the keying material - not knowing that the Soviets were getting a complete set of code keys for most of the US Navy.

  • The entropy of your password. Shannon determined that the entropy of English words ranges between 0.6 and 1.3 bits per character. This means that if you need 40 bits worth of entropy for your key, and you pick English words, you'll need pass-phrases between 31 and 67 letters long. This is behind the reason folks ask for upper & lower case letters along with digits and symbols: to increase the entropy.

Tangurena
  • 451
  • 2
  • 9
7

A password that can be memorized by an average person is, by its nature, insecure: because it has to be short enough to be memorable, it simply can't be long enough to provide protection against anything other than a casual, manual attack. Even a memorable passphrase has a degree of insecurity related to the attacker's knowledge of the victim, and that's not including the issue of ensuring that the passphrase is securely shared between sender and recipient. (Any method of securing the passphrase could equally be applied to the files to be encrypted: it could be argued that rather than securing the passphrase, you should simply secure the files themselves.)

I think it would be reasonable to use "real-world" passwords or passphrases only in cases where the files to be secured are not particularly sensitive and restricting access is simply a token action.

  • Not every method to secure the passphrase is applied to the 'files to be encrypted' in the real world because of speed concerns (e.g. PGP uses a combination of a symmetric block cypher to the message and RSA to encrypt only the key used in the symmetric block cypher). –  Jul 13 '11 at 14:04
5

I am implying that in order to securely encrypt a file you must follow this guidance:

  • Use a long random password with enough bits of entropy to give a secure symmetric key.
  • Think carefully about data sensitivity relative to Moore's Law(i.e. what is the impact if this data is read in 10 years from now by the more advanced computers)
  • Think carefully about how to transmit the password to an authorized party (offline delivery of password)

I would agree with that. But I also don't think that's excessively cumbersome.

Think about granting someone access to your house: if there is a lock, you generally need to give them a copy of a key. The alternatives are:

  • don't lock the house (some people in rural areas do this)
  • hide a copy of a key in an obscure place, and tell someone where it is
  • make an obscure method to obtain entry (e.g. some weird lever somewhere that unlatches a door or window... more practically, a mechanical/electronic combination lock would suffice)

If I were worried about security, and I wanted to grant frequent access to my house to a relative or friend, I'd make the effort to give them a key.

In the same way, if I were frequently exchanging documents with someone else, and all I had was a password-protected system (as opposed to secure storage, or public-key encryption), I'd pick a long, unmemorizable random password, and take the effort to transmit this password to them in an out-of-band channel, e.g. by phone, or by posting a document via the Web in an obscure place for a very short period of time.

Jason S
  • 394
  • 1
  • 8
  • This is normally done with a "lock box" (combination lock to hold the key) as you suggest in your third bullet. Folks might be scared to take the key away from the house for long enough to go make a copy, so it is a bit better than actually giving them a key. But note you can change the locks on your house, so the analogy isn't so good..... – nealmcb Jul 13 '11 at 15:35
  • @nealmcb: well, the point you raise about analogy is related to the difference between encrypted data and protocols that use encryption. Encrypted data is immutable and the key can't be changed after-the-fact; cryptographic protocols can change their keys with suitable re-encryption. – Jason S Jul 13 '11 at 15:55
4

Moore's Law can be counteracted by using a slow key derivation. For instance, PBKDF2 turns a password into a key by applying many iterations of a hash-like function. You can tune the number of iterations so that the operation is still tolerable on your computer (e.g. it takes no more than one second). The advantage of the attacker is then the product of his patience and his relative wealthiness: if the attacker can have a (cluster of) computer(s) which is 1000 times more powerful than your own machine, and if the computer is ready to invest a dozen days (1000000 seconds) of computation into breaking your encryption scheme, then the attacker will be able to try about 1 billion potential passwords. It is possible to memorize passwords with a higher entropy than that (e.g. passwords which consist of two letters, then two digits, then two letters, then two digits, such as "qw04qr29" or "fm17zz05", are memorizable and are from a space of about 4.5 billions possible passwords).

On the bright side, the attacker advantage is no longer dependent on Moore's law, as long as you keep the iteration number up to date (this can be an issue for long-term secrets, e.g. an attacker trying to crack an encrypted file which he copied ten years ago). On the darker side, typical users have a tendency of being utterly disappointing when it comes to memorizing seemingly "simple" passwords, or refraining from, e.g., writing them down on a sticky note.

Asymmetric cryptography does not solve the problem, it just moves it around: how do you protect the user private key ? One possible solution is to store a "master secret" (e.g. a user asymmetric private key) in a device which arbitrarily limits the rate of "guesses" by an attacker. This can be a smartcard which simply shuts down after three wrong PIN codes. This can be a server which authenticates users with a password but permits only ten tries per hour.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
4

In the light of this, I would suspect that asymmetric encryption of files are very much better in security terms than symmetric password encryption all other things being equal.

The problem there is that other things aren't equal. Using an asymmetric cipher requires much longer key lengths, the encryption is orders of magnitude more expensive, and streaming cipher modes aren't well-defined or standard. Remember that the entropy of an n-bit asymmetric key is very much less than the similar size symmetric key, while the computation needed for the encryption is much greater.