On Mar 27, 2012 10:10 AM, "Markus Schaber" <m.scha...@3s-software.com> wrote: > > Hi, Gregs, > > Von: Greg Stein [mailto:gst...@gmail.com] > > > On Mon, Mar 26, 2012 at 11:45, Greg Hudson <ghud...@mit.edu> wrote: > > >... > > > Unfortunately, there's more complexity in an encrypted password store > > >than you probably anticipated, and it's definitely possible to lose > > >some or most of your intended security properties if you get it wrong. > > > > > > The choice of best cipher algorithm today is very simple (AES, > > > although you'll have to pick the key size from 128/196/256 bits), but > > > > AES-256 in CBC mode was my buddy's suggestion. > > I hope that expert really is an expert.
Yes, he is. John Viega. Thanks for not trusting me. :-/ > > Playing with crypto on your own is never a good idea. I am well aware, thank you. That is precisely why I talked to John about the scenario in my personal project. He responded with design info for svn's scenario, but then tweaked his response a bit when I mentioned I had no master passphrase. IOW, we already have some expert advice for what svn is trying to do. > So we really should have good reasons to do it on our own, and then try very hard to make sure that we do it "right". :-) What do you think we're already doing? >... > We could use some marker-tag or header naming the algorithm, so upgrades can be done in a future-proof way, but actually implementing one single algorithm should be enough. No need for a tag. It is specified by the design. A tag gives you no extra data. > > > If you don't use CTR mode, you'll need to pick a reversible padding > > > function for the plaintext so that it matches a multiple of the > > > cipher's block size. This is pretty simple. > > > > In my wiki update, I mentioned 32 bits of random prefix (makes dictionary > > attacks even harder), and pad with NUL characters. AES uses > > 16 byte blocks, and keys of 16/24/32 bytes. > > Padding with NUL characters opens a known plaintext window at the end of the passphrase. Maybe it's better to pad with random characters. Then you need a length. Either way, I don't care. > > Hmm, I remember someone saying it's not easy to get crypto right, right? :-) Oh, shut up already. I know that. -g
