On Mar 27, 2012 10:10 AM, "Markus Schaber" <m.schaber_at_3s-software.com>
wrote:
>
> Hi, Gregs,
>
> Von: Greg Stein [mailto:gstein_at_gmail.com]
>
> > On Mon, Mar 26, 2012 at 11:45, Greg Hudson <ghudson_at_mit.edu> wrote:
> > >...
> > > Unfortunately, there's more complexity in an encrypted password store
> > >than you probably anticipated, and it's definitely possible to lose
> > >some or most of your intended security properties if you get it wrong.
> > >
> > > The choice of best cipher algorithm today is very simple (AES,
> > > although you'll have to pick the key size from 128/196/256 bits), but
> >
> > AES-256 in CBC mode was my buddy's suggestion.
>
> I hope that expert really is an expert.
Yes, he is. John Viega. Thanks for not trusting me. :-/
>
> Playing with crypto on your own is never a good idea.
I am well aware, thank you. That is precisely why I talked to John about
the scenario in my personal project. He responded with design info for
svn's scenario, but then tweaked his response a bit when I mentioned I had
no master passphrase. IOW, we already have some expert advice for what svn
is trying to do.
> So we really should have good reasons to do it on our own, and then try
very hard to make sure that we do it "right". :-)
What do you think we're already doing?
>...
> We could use some marker-tag or header naming the algorithm, so upgrades
can be done in a future-proof way, but actually implementing one single
algorithm should be enough.
No need for a tag. It is specified by the design. A tag gives you no extra
data.
> > > If you don't use CTR mode, you'll need to pick a reversible padding
> > > function for the plaintext so that it matches a multiple of the
> > > cipher's block size. This is pretty simple.
> >
> > In my wiki update, I mentioned 32 bits of random prefix (makes
dictionary
> > attacks even harder), and pad with NUL characters. AES uses
> > 16 byte blocks, and keys of 16/24/32 bytes.
>
> Padding with NUL characters opens a known plaintext window at the end of
the passphrase. Maybe it's better to pad with random characters.
Then you need a length. Either way, I don't care.
>
> Hmm, I remember someone saying it's not easy to get crypto right, right?
:-)
Oh, shut up already. I know that.
-g
Received on 2012-03-27 17:47:23 CEST