Re: How can I secure a Debian installation?
On Sat 01 Feb 2014 at 11:18:17 -0500, Jerry Stuckle wrote:
> On 2/1/2014 10:21 AM, Jerry Stuckle wrote:
> >On 2/1/2014 9:41 AM, Florian Kulzer wrote:
> >>On Sat, Feb 01, 2014 at 12:00:30 -0200, André Nunes Batista wrote:
> >>>
> >>>Isn't it the case where the randomness of the key/password composes the
> >>>overall quality of the crypto substitutions in such a way that 4096bit
> >>>keys would necessarily provide better protection against cryptanalysis
> >>>when compared to dozens of random, valid characters?
> >>
> >>As far as I understand it, that is correct: A 4096bit key gives you
> >>2^4096 possibilities, while a string of n random characters selected
> >>from a set of, let's say, 50 members (letters, numbers, special
> >>characters) has 50^n possible values. To break even with the 4096bit
> >>key, such a random-string password would therefore have to have a length
> >>of n=4096*ln(2)/ln(50) characters, which is about 725.
> >>
> >
> >No, a string of 50 members would have n^50 possible values. If you used
> >64 characters (for simplicity - i.e. upper and lower case letters, 0-9
> >and two special characters, as in base64 encoding) you would have 64^50
> >or 2^300 possible combinations.
> >
> >Although it doesn't affect the fine outcome that much - you'd still need
> >a string of 683 characters to match the complexity of the 4096 bit key.
> >
> >Jerry
> >
> >
>
> Damn - my bad. You're right, and I shouldn't be responding before
> my first cup of coffee :(
A second cup often helps to see things in a different light. :)
For n=12 there are 50^12 combinations. An online attack with a sustained
100 attempts per second (too low?) would statisically produce a hit in
about 3x10^10 years. In a practical context the protection offered by a
4096bit key is no better than a password with 12 random characters.
Reply to: