Hi,
On Sat, Sep 22, 2018 at 03:29:00PM +0000, procmem wrote:
> Best practice says to use a diceware passphrase that has equivalent
> entropy to the master-key. Since Grovers cuts down passphrase strength
> by half then a 256-bit diceware phrase is needed for future-proofing but
> that becomes unwieldly as 20 words are necessary. The only realistic
> option is to use keystretching to make passphrase length manageable.
To me, best practice is to use a reasonably affordable combination and
balance of key stretching (your job) and passphrase complexity (users'
responsibility, but you need to provide them with some guidance).
"Reasonably affordable" key stretching for that use case is something
that runs for e.g. 1 second. More than that is rarely a good idea for
everyday usage - you could type in an extra word instead of having to
wait for more than 1 second. Also, it probably means using something
like 1 GB of RAM, so that it works on current typical computers and VMs.
Then you see how many Diceware words or whatever you still need in that
passphrase in order to achieve a certain security level.
Regarding post-quantum, I'm no expert but realistically I'd just assume
that Argon2id will remain too complicated to implement and correctly
compute on a quantum computer in the foreseeable future, if ever. So
it's not a matter of how much stretching it provides - it primarily
provides "complication".
The stretching per se is thus against non-quantum computers. It goes
either as the number of operations (like Steve tried to calculate)
relative to a certain fast cryptographic hash, or as the product of that
and the memory usage (or as square of the number of operations if you
set t=1 to maximize the memory usage per time elapsed). Which is these
metrics or something inbetween is relevant depends on the kind of attack
hardware - whether it has the required memory anyway (a typical
computer) or the memory would cost extra (ASIC) or the memory is
available anyway but its size and latency are limiting what the attacker
can do (GPU).
> I was looking for advice on how to accurately calculate the security
> margin of argon2id against nation-state adversaries with a lot of
> computing power (of every type). The hashing implementation is the one
> included in Debian (as of Buster) LUKS2 with AES-256 XTS.
I think "security margin" means a different thing than what you ask
about in the message, so I suggest you avoid this wording.
> I've been trying to find an answer to this question by reading through
> the literature on argon2 with no success. Many people say it's hard so a
> non-cryptographer like me stands no chance understanding this. I asked
> JP Aumasson and he recommended I talk to you. Steve Thomas gave me the
> estimate quoted below but he also advised me to ask you.
>> Can you please share an equation and show me how to plug in the numbers
> to calculate the entropy added when any of the parameters are changed?
>> Steve:
> "2^27 < entropy < 2^35" for Argon2id m=1GiB, i=50, p=4.
I don't know what baseline hash Steve's estimate is against. Maybe the
uncertainty of this estimate is in part because the baseline is not
clearly defined - just something fast, which could be e.g. a round of
BLAKE2 or the whole BLAKE2.
More importantly, I doubt most of your userbase would be able to
consider such nuance without prior knowledge, nor do they need that.
So, no, you do not need "to accurately calculate" this. You could have
some accurate formula and figure, but without context and understanding
its nuances it'd be meaningless.
Anyway, taking your parameters m=1GiB, t=50 we have this for the number
of 1 KiB block operations:
20+log2(50) = ~26 bits
Each block consists of 16 BLAKE2b round computations (2 sequential sets
of 8), which is on par with 12 that BLAKE2b normally uses. We could
also consider the change from BLAKE2b to BlaMka, which will possibly
give Steve's minimum of 27 or more, but that's not obviously right -
this way of calculation (of the number of operations only) is most
relevant for typical computers, and on them BlaMka is about as fast as a
normal BLAKE2b round.
Now, going for the product of number of operations and memory usage
(relevant on attack hardware where memory is costly, which fits your
mentioned threat model with nation-state attackers potentially with
ASICs) we'd have:
20+20-log2(8*4)+log2(50) = ~41 bits
Again, this is against a rather arbitrary baseline now also of 1 KiB of
memory - but it's a realistic amount of memory that a fast cryptographic
hash not intended for key stretching could have used.
I subtract the parallelism (8x within a block and 4x thread-level p=4),
because for this sort of attacks the parallelism reduces the duration
for which the memory has to be occupied. On the other hand, this is
where the presumed additional slowness of BlaMka compared to a regular
BLAKE2b round on specialized hardware could finally matter. That could
give 3 or so bits more than the above estimate relative to BLAKE2b.
Then, I think t=50 is excessive. It isn't even the equivalent of a one
word longer passphrase, but it takes more time than typing a word would.
Perhaps you should consider t=3. That will be only "4 bits" less,
giving you something like 22 to 40 bits (depending on attack hardware)
of stretching relative to BLAKE2b.
> *I saw somehwere that increasing CPU cost lessens the effectiveness of
> memory cost and vice versa, is this how it works?
Not exactly. It doesn't "lessen the effectiveness of memory cost", but
it may limit what memory cost you'd use to fit in your time budget.
This usually applies in password hashing scenarios, and not in your KDF
scenario where you got ample time (1 second or more). Also, no, not
"vice versa".
A higher memory cost is more valuable to have than a higher time cost
parameter, because higher memory cost also implies more time spent.
Summary: you can use something like m=1 GiB, t=3, p=4. You can estimate
that this gives you stretching equivalent to 22 to 40 bits of Shannon
entropy against conventional computers (and especially against custom
hardware, which would otherwise have a greater advantage), and hope that
the very use of a complicated, long-running algorithm needing this much
memory breaks implementation/computation on quantum computers.
So m=1 GiB, t=3, p=4 combined with 7 Diceware words will give you
something like ~112 to ~128 bits, where the latter figure would actually
matter against attackers who could not-too-unrealistically pull this
kind of key search off. That's probably the maximum number of Diceware
words you'd recommend your users to use in combination with those
settings. In practice, I'd be surprised if 4 words were not enough as
that's ~90 bits against this sort of attackers, and why would they care
to invest more resources in an attack? (It's maybe ~74 bits against
regular computer attackers, but those attackers are relatively weak.)
Of course, your users should feel free to add some reasonable security
margin on top of this, through adding a few more Diceware words. Here,
I'm using the words to mean what I think they mean: an extra on top of
what's known to be required to achieve the desired security level.
Also, please note and make your users aware that the use of Shannon
entropy to measure password strength applies only when the distribution
is uniform, which in practice means that it applies only to a subset of
cases of generated (including e.g. with dice) passwords/phrases (the
subset where the distribution is uniform, which it should be). For
almost all purposes, it isn't a valid metric to use for human-chosen
passwords/phrases, where the distribution is highly non-uniform.
I hope this helps.
Alexander
More information about the Whonix-devel
mailing list
“Look here!” Dick began to chuckle. “We’ve got a queer combination to work with—our Sky Patrol has! Suspicious Sandy—and—Superstitious Jeff!” Sandy grinned ruefully, a little sheepishly. Larry smiled and shook his head, warning Dick not to carry his sarcasm any further, as Jeff frowned. 52 "You do doubt me. If you did not, it would never occur to you to deny it. You doubt me now, and you will doubt me still more if you don't read it. In justice to me you must." "That same. She was part Mescalero, anyway." This Act, as disgraceful as any which ever dishonoured the statute-book in the reigns of the Tudors or Stuarts, was introduced into the Commons, on the 12th of May, by Sir William Wyndham, and was resolutely opposed by the Whigs, amongst whom Sir Peter King, Sir Joseph Jekyll, Mr. Hampden, Robert Walpole, and General Stanhope distinguished themselves. They did not convince the majority, which amounted to no less than two hundred and thirty-seven to one hundred and twenty-six. In the Lords, Bolingbroke himself moved the second reading, and it was ably opposed by the Lords Cowper, Wharton, Halifax, Townshend, Nottingham, and others. The greatest curiosity was displayed regarding the part which Oxford would take, as it was known that in the Council he had endeavoured to soften the rigorous clauses; but in the House he followed his usual shuffling habit, declaring that he had not yet considered the question; and, having induced the Opposition to let the second reading pass without a division, he absented himself from the final voting, and thus disgusted both parties and hastened his own fall. The battle of Falkirk, which in itself appeared so brilliant an affair for Prince Charles, was really one of his most serious disasters. The Highlanders, according to their regular custom when loaded with plunder, went off in great numbers to their homes with their booty. His chief officers became furious against each other in discussing their respective merits in the battle. Lord George Murray, who had himself behaved most bravely in the field, complained that Lord John Drummond had not exerted himself, or pursuit might have been made and the royal army been utterly annihilated. This spirit of discontent was greatly aggravated by the siege of the castle of Stirling. Old General Blakeney, who commanded the garrison, declared he would hold out to the last man, in spite of the terrible threats of Lord George Murray if he did not surrender. The Highlanders grew disgusted with work so contrary to their habits; and, indeed, the French engineer, the so-called Marquis de Mirabelle, was so utterly ignorant of his profession, that the batteries which he constructed were commanded by the castle, and the men were so much exposed that they were in danger of being destroyed before they took the fortress. Accordingly, on the 24th of January they struck to a man, and refused to go any more into the trenches. "Haint we bit off more'n we kin chaw. Shorty?" asked Si, as he looked over the increasing gang. "Hadn't we better ask for some help?" "How far would it carry?" Corpril, Company Q, 2 Hundsrdth Injiamiy Volintear "He d?an't care much. F?ather, he likes to be comfortable, and this Inclosure w?an't make much difference to that. 'T?un't as if we wanted the pasture badly, and F?ather he d?an't care about land." "Byles," interrupted Calverley, speaking rapidly, "you are poor—you are in arrear with your rent; a distress will be levied, and then what will become of you—of your wife and the little one? Listen to me! I will give you money to keep a house over your head; and when I am steward, you shall have the first farm at my lord's disposal, if you will only aid me in my revenge! Revenge!" he repeated, vehemently—"but you hesitate—you refuse." "Yes, yes, there is little doubt of that: but how can we come at the truth? Sudbury still retains his wrath against us, and would oppose an arrest; and even could he be waylaid, and brought hither, he is stubborn, and might refuse to answer." HoME一级做人爱c视正版免费
ENTER NUMBET 0017 tewei3.net.cn duru0.com.cn www.qiewo4.com.cn fadu0.net.cn www.sinowell.net.cn www.xumi5.com.cn www.sanme3.com.cn musuo7.com.cn yinle5.net.cn www.duiba7.net.cn