EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Password size and quality of encryption

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#30560
Posted: 09/01/2014 06:57:39
by Manoj Jain (Standard support level)
Joined: 02/28/2013
Posts: 94

For SolFS:

I am using ecAES256_HMAC256 encryption

I want to know what should be size of my password. I am using 100 character long

Is this password length good enough.

What is possibility that a person getting hold of SolFS storage file (.st) can decrypt and know the contents (without password).

Because Password is stored in the tags (I read it somewhere in manual) , is it possible that he can retrieve it using some standard c libraries.


I am asking from my customer point of view who is asking me how safe is data.
#30561
Posted: 09/01/2014 07:04:59
by Eugene Mayevski (EldoS Corp.)

The password is not stored in tags (you probably read the articles about PKI-based encryption, where *encrypted* session key can be stored in tags).

And as with any encrypted data, encryption without having a password is very hard. I.e. the complexity is comparable to any other properly implemented AES-based encryption.

As for the length of the password - the number of effective bits in the key is 256 which is 32 full 8-bit bytes. If you use alphanumeric passwords, you need to ensure that your password has at least theses 256 bit keys. Let me explain.

Consider simple 8-bit encryption. You can have 256 possible passwords. But if you use only alphanumeric chars (62 total), you need at least 2 characters in your password (2 characters will give you 6*2 effective bits, which will be more than 8-bit key, while 1 character will give just 6 bits, thus weakening encryption).

Consequently, for 256 bits you need at least 43 alphanumeric characters in your password. If you use the alphabet of 16 chars (eg. base64 encoding), then you'll need 64 characters in your password. And so on.


Sincerely yours
Eugene Mayevski
#30562
Posted: 09/01/2014 07:30:45
by Manoj Jain (Standard support level)
Joined: 02/28/2013
Posts: 94

I will generate a 100 key password .. alphanumeric ,... so that will be good enough... making sure all characters are used ...


Quote
And as with any encrypted data, encryption without having a password is very hard.


I understand that nothing is impossible.

But how hard AES 256 could be .... Can I say ... good for military use?
#30563
Posted: 09/01/2014 07:40:14
by Eugene Mayevski (EldoS Corp.)

Quote
Manoj Jain wrote:
But how hard AES 256 could be .... Can I say ... good for military use?


Nobody can give any guarantees, but it's assumed that AES will be ok (unless some serious algorithm vulnerability found) for several decades. For now it's quite safe.

And remember that in most cases rubber-hose cryptanalysis is more efficient than brute-force attacks, especially in serious cases.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 2600 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!