Cryptography Reference
In-Depth Information
Thus, if the claimant is a machine then it is possible that a cryptographic key can
be something that is 'known'.
2. Where humans are required to 'know' a cryptographic key, they normally
activate the key by presenting identity information that is easier to remember
such as a PIN, password or passphrase. Of course, this reduces the effective
security of that cryptographic key from that of the key itself to that of the shorter
information used to activate it. We revisit this issue in Section 10.6.3.
We will now proceed to look more closely at ways in which cryptography can be
employed to assist in the provision of identity information based on something
that the claimant knows.
Passwords are still one of the most popular techniques for providing identity
information, although they have many obvious flaws. We will briefly look at some
of these flaws as motivation for enhanced techniques. We will also reexamine the
use of cryptography for password protection. Note that in this section we use the
term 'password' very loosely, since much of our discussion equally applies to the
likes of PINs and passphrases.
8.4.1
Problems with passwords
The attractive properties of passwords are that they are simple and familiar. These
are the reasons that they are ubiquitously used as identity information. However,
they have several flaws that severely limit the security of any application that
employs them:
Length
. Since passwords are designed to be memorised by humans, there is a
natural limit to the length that they can be. This means that the
password space
(all possible passwords) is limited in size, thus restricting the amount of work
required for an exhaustive search of all passwords.
Complexity
. The full password space is rarely used in applications because
humans find randomly generated passwords hard to remember. As a result
we often work from highly restricted password spaces, which greatly reduces
the security. This makes dictionary attacks possible, where an attacker simply
exhaustively tries all the 'likely' passwords and hopes to eventually find the
correct one (see Section 1.6.5). Clever pneumonic techniques can slightly
increase the size of a usable password space. Where users are requested to
adopt complex passwords a usability-security tradeoff is soon reached, since
it is more likely that a complex password will be transferred into 'something
the claimant has' in the form of a written note, which in many cases defeats
the purpose of using passwords in the first place. Moving from passwords to
