[Whonix-devel] Fwd: MinEntropy Implications for Passphrase Strength
procmem at riseup.net
procmem at riseup.net
Fri Dec 13 04:30:27 CET 2019
-------- Forwarded Message --------
Subject: Re: MinEntropy Implications for Passphrase Strength
Date: Thu, 12 Dec 2019 15:03:38 -0500
From: Arnold Reinhold <agr at me.com>
To: procmem <procmem at riseup.net>
It’s not an easy question to answer. Here is a somewhat more legible
discussion:
https://crypto.stackexchange.com/questions/66097/why-is-min-entropy-significant-in-cryptography
At the simplest level, if you think of the Diceware word list as a set
of symbols, and you are picking each symbol with a uniform random
process, which physical dice approximate very well, then min entropy
equals Shannon entropy. On the other hand, if you look at the resulting
pass phrase as a string of characters, the distribution will not be
uniformly random, and the min entropy will be less than the Shannon
entropy. The Diceware word list can occasionally generate passphrases so
short that are subject to brute force searches, that’s why I recommend
requiring a minimum length.
Min entropy attempts to bound the worst case behavior, but that is not
necessarily realistic. The words have semantic meaning and it is
possible to randomly generate a passphrase like “Four score and seven
years ago” which might be in a list of, say, the top 1000 English
phrases. That could be considered a min entropy of less than 10 bits.
But such occurrences are rare and are fairly easy for humans to spot.
This does not only apply to Diceware. A string of random characters
could spell a word. A random hex string could be 3243F6A8885A3, aka Pi.
One solution would be to check a generated password or phrase against a
collection of cracker lists, but any given password could be added to
such lists at a later date, so that won’t completely eliminate the
problem. What Shannon entropy does do for a password or phrase
generation scheme is measure the likelihood that a weak password will be
generated, which in the case of Diceware is extremely low.
Best,
agr
> On Nov 19, 2019, at 6:20 PM, procmem at riseup.net
> <mailto:procmem at riseup.net> wrote:
>
> Hi Arnold. I came across a publication that claims minentropy is a more
> accurate measure for passphrase strength than Shannon Entropy. The
> Wikipedia article on the topic is complex and not really accessible for
> people who want to learn about it.
>
> Questions:
>
> * What is Minentropy and how does it impact Diceware passphrase strength?
>
> * How do I calculate it?
>
> I would appreciate a plain English explanation I can add to our
> documentation. TIA.
>
>
> https://www.cs.bu.edu/~reyzin/papers/entropy-survey-ICITS-2011-no-animations.pdf
>
> https://en.wikipedia.org/wiki/Min-entropy
>
> PS. Before sending I found this link that somewhat helps:
>
> https://crypto.stackexchange.com/questions/63786/relation-between-entropy-and-min-entropy
>
> Does this imply minentropy is only relevant in cases where passphrases
> are formed from sources with non uniform distributions?
>
> I have CC'd our ML so your reply can benefit our users.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.whonix.org/pipermail/whonix-devel/attachments/20191213/59c54e3a/attachment.htm>
More information about the Whonix-devel
mailing list