Home page logo

basics logo Security Basics mailing list archives

RE: Good design for a Algorithmically Derived Passphrase for FDE (?!)
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 20 Nov 2007 11:06:54 -0800

From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of ManInWhite
Sent: Monday, November 19, 2007 1:11 PM

Secondly: The algorithm used to derive the passphrase not 
stored with the laptop at all. The CODEwords which are used 
to derive the passphrase are not stored with the laptop. They 
both never leave the key generation PC.

Thirdly: The security of the system is not in keeping the 
algorithm secret. Ultimately all it is doing is generating 
offsets for lookup in a  secret codebook. The Codebook is not 
stored with the laptop, and protected. The security is 
keeping this codebook secure.

If the attacker was to somehow derive the numbers the 
algorithm produces it would be useless without the codebook.

The laptop has no idea (45, 254, 12) means "alice walked with 
bob to town". Possession of the serial number or key 
generation algorithm would be effectively useless.

  Let's see if I've correctly understood you.  There is a codebook
somewhere which maps "offsets" to passphrases.  The algorithm you
seek maps some identification of the laptop to an offset in the 
  There are an arbitrary number of functions which will map the
chosen identifiers to the correct offset, including looking up
the identifiers in a table that maps them to offsets.  Although 
the choice of algorithm for this step can dramatically affect
*performance*, there is no other "security" difference between
these functionally identical algorithms.  Any algorithm that
consistently maps each unique identifier input to a unique offset
(this is the strong version of what a hash algorithm does...)
will do.  Knowledge of the algorithm would allow an attacker to 
determine the offset assigned to any given laptop; without access
to the table those offsets reference, the offset is useless.
  So you might as well store the offset -- or some trivial 
equivalent! -- on the laptops and be done with it.

David Gillett

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]