From owner-freebsd-security Mon May 17 7:23:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from schuimpje.snt.utwente.nl (schuimpje.snt.utwente.nl [130.89.238.4]) by hub.freebsd.org (Postfix) with ESMTP id 7515815469 for ; Mon, 17 May 1999 07:23:28 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from wit395301.student.utwente.nl ([130.89.235.121]:32787 "EHLO vangelderen.org" ident: "NO-IDENT-SERVICE[2]") by schuimpje.snt.utwente.nl with ESMTP id <8068-32302>; Mon, 17 May 1999 16:23:14 +0200 Message-ID: <37402654.EE74B389@vangelderen.org> Date: Mon, 17 May 1999 16:23:16 +0200 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Adam Shostack , nr1@ihug.co.nz, freebsd-security@FreeBSD.ORG Subject: Re: secure backup References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Mon, 17 May 1999, Jeroen C. van Gelderen wrote: > > > This feature has been available since PGP's early days. It > > uses PGP's default symmetric cipher. > > Which is what? I don't have PGP handy here.. IIRC IDEA for the 2.x series. CAST5 (default), TripleDES or IDEA for the 5.x/6.x versions. > > I realize that. But using bdes(1) when you have PGP available is not a > > very good idea. Using bdes(1) actually never is a good idea because of > > it's crappy key handling (no hashing). bdes(1) allows you to shoot > > yourself in the foot without you realizing it. > > Can you elaborate on this? Apart from the fact that bdes expects keys to be > given on the command line for non-interactive use (and not taken from a file, > which should be an easy hack to make), what's wrong with it? The problem is the people that use it: they pick non-random passwords. If you are *very* lucky, a password has 6 bits of entropy per character, you can only enter 8 characters -> 48 bits. This assumes a random distribution over 64 characters, quite unlikely. One (partial) solution is to accept longer passphrases, hashing them down to 56 bits of DES key. If you use a cryptographically strong hash function (SHA-1) it will preserve the entropy from the given password. Another advantage of this approach is that you can introduce salt and/or multiple hashing to slow down brute force attacks. And -chances are small but not non-existent- it is possible to choose DES weak keys, something that PGP automatically avoids for you. PGP delivers all these 'advanced' techniques in a reputable program. So you'd better benefit from all the expertise that's been put into PGP than invent yourself a scheme. > > > If you use a random passphrase as in my suggestion then dictionary attacks are > > > worthless and you're only vulnerable to an (expensive) brute force keyspace > > > search. Encrypting the already encrypted stream doesn't buy you anything I can > > > see, except the extra CPU time. But it's not a big deal. > > > > Uhm, a dose of reality here: how many people will pick random > > passphrases of sufficient length? There is almost never reason to > > disable SSH encryption. > > Yes, but the original problem related to a non-interactive tape backup. There > is no reason to have the encryption key as a human-memorable phrase; on the > contrary it's much better to make it a machine-generated random string of the > sufficient length. How many people do this? You will have to restore the backup at some point in the future. And at that point in time, access to the vault (where the paper with the passwords is) may not be available. There's a subtle difference between theory and practice here. Cheers, Jeroen PS. s/PGP/GnuPG/ if you want. -- Jeroen C. van Gelderen - jeroen@vangelderen.org - 0xC33EDFDE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message