Applications and the Future - Codes: The Guide to Secrecy from Ancient to Modern Times

Cryptography Reference

In-Depth Information

“salted” message (see Footnote 3.8 on page 136). Passphrases may be salted,

or as we saw with the explanation of SRP (see page 200), a salt and a verifier

can be used to eliminate the need for direct password-based schemes.

Why Use Salt?

The purposes behind saltinga passphrase are threefold.

1. Eliminatingthe visibility of duplicate passphrases on a user's file.

2. Increasing the bitlength of the passphrase, to thwart password-guessing.

3. Helpingto thwart attacks such as the dictionary attack (see Footnote 5.2

on page 201).

Proactive Password Selection

Since human beings are notoriously lazy about choosing proper passwords,

instead selectingeasy-to-remember words, and nelectingsecurity, there needs

to be a means for ensuringthat user-chosen passwords are acceptable. This

is where a proactive password checker comes into play. This built-in checker

will determine if a user-selected password is acceptable, and reject it if not,

promptingthe user to try aain. System enforcement may contain some of the

followingcriteria.

Passphrase Selection Criteria

Parts 1-4 below refer to the criteria for a proactive checker itself, whereas

the remainder are more for a given user to consider when choosing a passphrase.

1. All passphrases must have at least ten symbols.

2. There must be at least three of: lower case letters; upper case letters;

numeric; and characters such as !,#,),&,*,

❅

, and so on.

3. No symbols should be repeated.

4. No actual words should be used.

5. No personal data such as birthdays, or telephone numbers should be used.

6. Memorize the passphrase. Never write it down and do not store it on your

computer as a file.

Of course, the above criteria are also known by Mallory, so he knows which

passphrases he should not try, but if properly implemented, a brute-force attack

is made less likely to succeed.

There exist methods for creatingeffective and eLcient passphrase checkers,

which do not require lots of space and time as would, say, a list of stored

“unacceptable” phrases. There is a Markov model (see [64]), and a Bloom filter

model, both of which are probabilistic methods (for details, the interested reader

may consult: [267] and [268]).

Search WWH ::

Custom Search

Home