[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt

Title: Nachricht
Reading my own mail again, I guess I replaced the word entropy one time too often. I also now amended the definition to make it more clear what I mean.
 
Apologies and regards...Lothar
-----Ursprüngliche Nachricht-----
Von: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] Im Auftrag von Reith, Lothar [HAHN:NGD:EXCH]
Gesendet: Donnerstag, 2. September 2004 10:08
An: 'Paul Funk'; 'Clint Chaplin'; 'radiusext@ops.ietf.org'
Betreff: AW: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt

Paul,

from what I understand you really seem to be talking about a concept which one could perhaps refer to as "guessability".


When applying this proposed term to one of your definitions, (replacing some but not all occurances of "entropy" with "guessability") it reads like this:

The  cryptographic entropy  of a collection (of passwords) is only indirectly related to the difficulty of attack, which can only be defined as the probability of success against  a  number of tries. For example, a population  of users in which "swordfish" is used 50% of the time, but a billion other passwords are equiprobable the other 50% of the time, has entropy of about 15 bits, but a "guessability" of 50% (if the attacker knows that the term swordfish is  most popular for use as password  and therefore tries it first- this is an abstraction of the concept of dictionary attack).

Note that it leaves the word entropy in  it's cryptographic meaning (by the way I did not know of the cryptographic definition, only of the physical definition in the first place).

Best Regards, Lothar



-----Ursprüngliche Nachricht-----
Von: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] Im Auftrag von Paul Funk
Gesendet: Donnerstag, 2. September 2004 03:14
An: Clint Chaplin; radiusext@ops.ietf.org
Betreff: Re: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt


Clint,

I don't disagree. I'll even add to your point by saying that it makes no sense to talk about the entropy of a single password. Entropy applies to populations; the entropy of a single item is 0. So you can't properly say that the password "swordfish" has entropy of 20 bits. You could say that within the collection of passwords actually used, "swordfish" is used one in a million times, and therefore has probability of 2 ^ -20. But the collection itself may have very low entropy; for example, if the only other password ever used is "tuna", and it gets used 999,999 out of a million times. So the probability of a password is not directly related to the difficulty of attack -- in the case just described, you only have to try 2 passwords.

In addition, the entropy of a collection is only indirectly related to the difficulty of attack, which can only be defined as the probability spectrum of success against number of tries. For example, a population in which "swordfish" is used 50% of the time, but a billion other passwords are equiprobable the other 50% of the time, has entropy of about 15 bits, but an attack will succeed in one try 50% of the time.

So talking about entropy in this context necessarily involves
a kind of shorthand. I'm not entirely sure how to talk about it with clarity and mathematical precision at the same time. The dodge that I took was to define "effective entropy", and I really should use that term consistently, as you point out. If you have a suggestion for how to use comprehensible language to discuss these matters, let me know.

Paul

At 05:25 PM 9/1/2004 -0700, Clint Chaplin wrote:
>I guess part of my problem is that the term "entropy" is being used
>here in two different incompatible but related senses, sort of like
>"pounds force" and "pounds mass".  Entropy in the cryptographic sense
>is the measure of the possible values an item may take on, and is
>measured in bits.  Entropy in the thermodynamic sense is the measure of
>the disorder in a system.
>
>Talking about "effective entropy" is a little bit like talking about
>"effective pounds mass" under acceleration, which makes my teeth itch.
>
>Clint (JOATMON) Chaplin
>Wireless Security Advisor
>Wireless Standards Lead
>
> >>> Bernard Aboba <aboba@internaut.com> 8/31/04 21:34:35 >>>
>Forwarded from Clint Chaplin...
>
>---------- Forwarded message ----------
>Date: Tue, 31 Aug 2004 19:47:20 -0700
>From: Clint Chaplin <cchaplin@symbol.com>
>To: aboba@internaut.com, radiusext@ops.ietf.org
>Subject: Re: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
>
>Bernard: due to a snafu here at Symbol, the radiusext email list is
>silently rejecting my posts to it; however, I can still receive the
>emails from it.  Could you please forward this to the list for me?
>Thanks!
>
>I still disagree with the use of the term "entropy" within this I-D. As
>a simplistic way of looking at this, let's say that the input to this
>algorithm can only take on two distinct values, and also the salt can
>only take on two distinct values (these values may be expressed using
>many bits, but that won't change the argument).  Since the salt and the
>input can only have two distinct values, the entropy of each is only 1,
>and the two combined can only take on four distinct values, and thus
>have an entropy of 2.  Putting these four distinct valuse through the
>amplification process will still only yield an output with four
>distinct values (although these output values may also be expressed
>using many bits).  No matter how many times the algorithm is applied,
>the output will still only have a max of four distinct values, and a
>max entropy of 2.  Hashing never adds true entropy, and if a collision
>occurs, can reduce entropy.
>
>Yes, the term "effective entropy" can be used, but that just confuses
>the issue, I feel.  Plus, there are still places in the draft where
>"effective entropy" should be used for consistancy sake, and it is not.
>
>For instance, in the abstract, the phrase "A dictionary attack against
>the resulting shared secret will be infeasible due to its high
>entropy." should state "A dictionary attack against the resulting
>shared secret will be infeasible due to its high effective entropy."
>
>In the introduction, the phrase "A dictionary attack against the
>resulting shared secret will be infeasible due to its high entropy."
>should be "A dictionary attack against the resulting shared secret will
>be infeasible due to its high effective entropy."
>
>And so on.
>
>Clint (JOATMON) Chaplin
>Wireless Security Advisor
>Wireless Standards Lead
>
> >>> <Internet-Drafts@ietf.org> 8/27/04 12:42:15 >>>
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
>
>
>         Title           : RADIUS Shared Secret Security Amplification
>         Author(s)       : P. Funk
>         Filename        : draft-funk-radiusext-shared-secret-amp-01.txt
>         Pages           : 10
>         Date            : 2004-8-27
>
>This draft describes how a mechanism defined in [PKCS-5] can be used
>    to amplify the security of a RADIUS shared secret; namely, that a
>    precursor secret is hashed many times to produce an amplified
>shared
>    secret for use in RADIUS.
>
>A URL for this Internet-Draft is:
>http://www.ietf.org/internet-drafts/draft-funk-radiusext-shared-secret-
>amp-01.txt
>
>
>To remove yourself from the I-D Announcement list, send a message to
>i-d-announce-request@ietf.org with the word unsubscribe in the body of
>the message. You can also visit
>https://www1.ietf.org/mailman/listinfo/I-D-announce
>
>to change your subscription settings.
>
>
>Internet-Drafts are also available by anonymous FTP. Login with the
>username "anonymous" and a password of your e-mail address. After
>logging in, type "cd internet-drafts" and then
>         "get draft-funk-radiusext-shared-secret-amp-01.txt".
>
>A list of Internet-Drafts directories can be found in
>http://www.ietf.org/shadow.html or
>ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>
>Internet-Drafts can also be obtained by e-mail.
>
>Send a message to:
>         mailserv@ietf.org.
>In the body type:
>         "FILE
>/internet-drafts/draft-funk-radiusext-shared-secret-amp-01.txt".
>
>NOTE:   The mail server at ietf.org can return the document in
>         MIME-encoded form by using the "mpack" utility.  To use this
>         feature, insert the command "ENCODING mime" before the "FILE"
>         command.  To decode the response(s), you will need "munpack" or
>         a MIME-compliant mail reader.  Different MIME-compliant mail
>readers
>         exhibit different behavior, especially when dealing with
>         "multipart" MIME messages (i.e. documents which have been split
>         up into multiple messages), so check your local documentation
>on
>         how to manipulate these messages.
>
>
>Below is the data which will enable a MIME compliant mail reader
>implementation to automatically retrieve the ASCII version of the
>Internet-Draft.
>
>
>_______________________________________________________________________
>_
>This email has been scanned for computer viruses.
>
>_______________________________________________________________________
>_
>This email has been scanned for computer viruses.
>
>--
>to unsubscribe send a message to radiusext-request@ops.ietf.org with
>the word 'unsubscribe' in a single line as the message text body.
>archive: <http://psg.com/lists/radiusext/>
>
>_______________________________________________________________________
>_
>This email has been scanned for computer viruses.
>
>--
>to unsubscribe send a message to radiusext-request@ops.ietf.org with
>the word 'unsubscribe' in a single line as the message text body.
>archive: <http://psg.com/lists/radiusext/>

Paul Funk
Funk Software, Inc.
617 497-6339
paul@funk.com


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.

archive: <http://psg.com/lists/radiusext/>