Doesn't the actual key get derived using pbkdf2 with many iterations making brute force of even fairly weak passphrases time consuming? I am not sure it is as critical as one would think. There are more secure options too such as smart cards / hsm or ssh-ca. Maybe look into those options as well? And maybe look for some guidance in securing your ssh agent as well
On Tue, Jun 25, 2019, 2:16 PM mpan firstname.lastname@example.org wrote:
Randomly open a dictionary and then randomly pointing on a word, repeating this a few times, is one way for an artist to get an inspiration.
I wonder how safe it is to use such a method to generate a passphrase.
An old Chinese proverb says: do not invent your own crypto.
Diceware is much better crafted than you may imagine. It’s not just some random idea someone had while contemplating life in a loo. It solves some real problems and avoids pitfalls.
What are the problems with the proposed method? First of all: what is your RNG or CSPRNG? Is it your brain? Your hand? Then you have already lost. If you’re just grabbing a book and opening it at a “random page”, your generator is already biased. You have much greater chances of picking a page closer to the middle than on the ends of the book. It may be even worse when it comes to the selection of the word on a page. Are you, instead, using an actual RNG or CSPRNG? Is it not biased? How are you dealing with that issue? Are the values from it mutually independent?
Even if you have a good [pseudo]randomness source, how do you map its output to the page number and word number? It isn’t a trivial task and if you do it wrong, you skew your distribution.
A dictionary may contain long words. While you may imagine that is good, because “longer is better”, it is giving you only a tiny advantage, because the space a word takes is not really used. In English it’s less than 3 bits per letter and it tends to be worse for longer words. Still, no loss, yes? Wrong. Unfortunately many services limit the length of the password you may use. It is also harder to get muscle memory for typing long words.
I believe a cryptographer could point out a few other mistakes as well. The reason I explained this is not to inspire anyone to “fix” the proposed algorithm. My goal is opposite: to discourage people from undertaing such tasks. There is many gotachas, it is easy to introduce a vulnerability and you don’t even get any testing/review for your method. Better trust people, who spent half of their lives studying cryptography.
How does Diceware deal with the above problems? It eliminates the human factor. It uses a randomness source that for all practical purposes is an actual RNG. A RNG that is even better than what is typically used for private key genereation! The tiny bias it has is acceptable, considering the great advantage of using dice. The set of possible values is chosen in a way, which ensures no bias being introduced while mapping from the output of the RNG to those values (yes, it avoids the issue altogether). It is clear, transparent and obvious at each stage — nothing up my sleeve. It can be used by anyone. Finally, words are short, so the output is compact. After some time entering such a passphrase is just a series of 4–5 taps on the keyboard. APPRECIATE WHAT ARNOLD REINHOLD DID, because he did a truly good job. :)