Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 20 17:19:05 PST 2015
On Fri 2015-01-16 19:07:47 -0500, Joseph Bonneau wrote:
> Is there a design rationale for these choices? 112 bits is overkill for
> something users need to memorize (especially with 2^17 of stretching) and a
> 2^16 dictionary in my experience is vastly bigger than ideal (though we
> don't really have good research confirming this, it's just a hunch).
> Personally I would say 70 bits plus 2^20 stretching is secure against any
> economically imaginable attacker and 60 bits plus 20 bits of stretching is
> probably secure against non state-level attackers.
This prescription is missing a timescale.
Systems like peerio and minilock have no key transition mechanism
available, no way for users to change a passphrase. If they're intended
for lasting use, at least some of the encrypted information will need to
withstand attackers 10 years from now or later.
Even ignoring major disruptions in hardware, are should we expect users
to settle for 90 bits of defense (or 80 bits against "non-state-level"
attackers) for 10 years?
Nadim's choices here might be a little conservative, they don't seem
excessive to me, given the other tradeoffs he's made in cryptosystem
More information about the Messaging