mailing list archives
RE: Good design for a Algorithmically Derived Passphrase for FDE (?!)
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 20 Nov 2007 11:06:54 -0800
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of ManInWhite
Sent: Monday, November 19, 2007 1:11 PM
Secondly: The algorithm used to derive the passphrase not
stored with the laptop at all. The CODEwords which are used
to derive the passphrase are not stored with the laptop. They
both never leave the key generation PC.
Thirdly: The security of the system is not in keeping the
algorithm secret. Ultimately all it is doing is generating
offsets for lookup in a secret codebook. The Codebook is not
stored with the laptop, and protected. The security is
keeping this codebook secure.
If the attacker was to somehow derive the numbers the
algorithm produces it would be useless without the codebook.
The laptop has no idea (45, 254, 12) means "alice walked with
bob to town". Possession of the serial number or key
generation algorithm would be effectively useless.
Let's see if I've correctly understood you. There is a codebook
somewhere which maps "offsets" to passphrases. The algorithm you
seek maps some identification of the laptop to an offset in the
There are an arbitrary number of functions which will map the
chosen identifiers to the correct offset, including looking up
the identifiers in a table that maps them to offsets. Although
the choice of algorithm for this step can dramatically affect
*performance*, there is no other "security" difference between
these functionally identical algorithms. Any algorithm that
consistently maps each unique identifier input to a unique offset
(this is the strong version of what a hash algorithm does...)
will do. Knowledge of the algorithm would allow an attacker to
determine the offset assigned to any given laptop; without access
to the table those offsets reference, the offset is useless.
So you might as well store the offset -- or some trivial
equivalent! -- on the laptops and be done with it.