|
|
Diceware is a technique that uses dice to produce random strings for passphrases and other uses. The Diceware method provides an easy way to create strong passphrase that are easy to remember, for example: alger klm curry blond puck
To make your passphrase, you pick short words from a list that is indexed in a special way that makes it easy to select the words randomly using ordinary dice.
No, you do not. The instructions on the Diceware page are enough to enable you to make and use your passphrase. But you may find some of the information here interesting and useful.
We recommend five words for most users.
In their February 1996 report, "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" a group cryptography and computer security experts -- Matt Blaze, Whitfield Diffie, Ronald Rivest, Bruce Schnier, Tsutomo Shimomura, Eric Thompson, and Michael Weiner -- stated:
"To provide adequate protection against the most serious threats... keys used to protect data today should be at least 75 bits long. To protect information adequately for the next 20 years .... keys in newly-deployed systems should be at least 90 bits long."
A five word Diceware passphrase would have an entropy of at least 64.6 bits; six words would have 77.5 bits, seven words 90.4 bits, four words 51.6 bits. Inserting an extra letter at random adds about 10 bits of entropy. Here is my best estimate of how much protection various lengths provide:
Pick your passphrase size based on the level of security you want.
Another way to think about passphrase length is to consider what security precautions you take to physically protect your computer and data. Here is a list of possible passphrase lengths and commensurate security precautions. The list of precautions are not intended to be complete.
Use a ten word Diceware passphrase. For memory purposes, think of it as two 5-word passphrases.
Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day.
The Diceware method is secure even if an attacker knows that you used Diceware to pick your passphrase, knows how many words are in your passphrase and knows the word list you used. The security of Diceware comes from the huge number of combinations that an attacker must search through. The Diceware word list contains 7776 words, so if you pick a five word passphrase, there are 7776 x 7776 x 7776 x 7776 x 7776 combinations. That is over 2**64 (2 to the 64 power or 2.6 X 10**19) combinations. A six word Diceware passphrase confronts an attacker with 2**77 (2 X 10**23) combinations, seven words 2**90 (1.5 X 10**27).
Try making a numonic. First, make sure you know what each word means. Then try to make up a story that uses those words. For example, here is a five word Diceware passphrase selected at random:
strop 17 aw tete karp
My dictionary defines strop as a strip of leather used to sharpen a razor. Tete, as in tete-a-tete comes from the French word for "head." So I imagine myself sharpening my razor knife seventeen times before cutting off the all wet head of a fish. It may sound hoaky, but it works!
An important goal of Diceware is to keep passphrases short. Based on the limited survey I did, I concluded that most people simply will not accept a 50 character passphrase that they have to type in several times a day to read, send or sign e-mail. Peter Kwangjun Suk had the clever idea that short non-words like "abc" "456" or "dn" are about as easy to remember as regular words and reduce the average length of a randomly selected password.
The original Diceware word list is slanted somewhat to American English. Alan Beale has compiled an alternative list that replaces most Americanisms and many obscure words with more recognizable alternatives. You can find it at http://world.std.com/~reinhold/beale.wordlist.asc
There are some obscure words in both lists. If you passphrase includes a word you don't know, look it up in a good dictionary. Knowing the word's meaning will aid you memory and your vocabulary.
Tastes vary. Use your passphrase several time a day for a week. If you find you still cannot remember it, try a different method. Follow the links on the Diceware page.
Powerful forces are trying to prevent you from using strong encryption. One way to stop them it to teach as many people as possible how to write strong encryptoion programs of their own. CipherSaber is a strong encryption method so simple that you can write the program yourself if you have elementary programming skills -- even if it is only a knowledge of Basic. CipherSaber is intended to demonstrate that banning strong cryptography is futile, but the program is also useful and a lot of fun to make. CipherSaber can use Diceware passphrases directly as a key. Find out more at http://ciphersaber.gurus.com
Select two words using diceware. Then select a special character using the chart below. Then stick the special character between the two words instead of a space. Drop characters off the end of the second word if the resulting password is too long for your computer system. (Most Unix systems limit you to 8 characters.)
Example:
base<threw which truncates to the 8 character password base>thr
On August 20, 1996 National Public Radio's All Things Considered program ran a great story about a woman who works for a data recovery firm as a "Data Crisis Counselor." (click here for the Real Audio version) When her employer cannot recover data from a customer's damaged hard disk, it is her job to break the news and help the customer cope with the loss. She draws on her training in psychology and her experience counseling for a suicide hot line.
The Diceware page does not have a data crisis counselor, so we must give you the bad news straight. If you used a strong encryption program and then lost your passphrase, you are out of luck. You data probably cannot be recovered. Sorry.
The moral is do not forget your passphrase! See the next question.
This is a very important question. Most experts say never write down your passphrase under any circumstances. This approach comes from military doctrine, but military crypto systems are designed in such a way that one person forgetting a password is not a calamity.
I believe most people are more afraid of forgetting their own passphrase than they are of having it stolen. As a result they tend to pick passphrases that are far too week. I actually did a small survey on this question and the results support my view. See http://world.std.com/~reinhold/passphrase.survey.asc
Also many people need multiple passphrases for different programs and needs. Remembering them all can be difficult, particularly those that are used infrequently. For most people it is better to pick strong passphrases, write them down and keep them in a very safe place. There may be legal advantages to memorizing your key, however.
All the words in the Diceware list are in lower case. The entropy values shown above are based on the passwords as generated, with no capitalization. You can increase entropy further by capitalizing some characters, but is it worth the effort?
Randomly capitalizing the characters in your passphrase adds one bit of entropy per character, raising the entropy from (roughly) 3 bits to 4 bits per character. However each capitalization requires pressing the shift key. Since, on the average, half the characters are capitalized, the number of key strokes will be increased by a factor of 1.5 so the entropy per key stroke will be 4/1.5 = 2.67 bits. This is less than the entropy per keystroke of the original lowercase password!
You could argue that the number of added keystrokes is less than half since you can hold down the shift key during runs of capitals, but the mental effort is still there. And, of course it is much harder to remember a passphrase like "rATIO Acts PR AsTOr" than "ratio acts pr astor."
The entropy added by having just one random capital in a typical five word passphrase is 4.4 bits (log2 of number of characters in the average 5-word passphrase). By contrast, inserting one random alphanumeric character somewhere in the middle of your passphrase increases its entropy by about 9.5 bits (4.4 + log2 (36). See the instructions on the Diceware page.
If all this seems like lilly-gilding, just stick with the original passphrase you got from the Diceware word list.
It is usually a good idea to include the spaces. Entropy is slightly reduced if you do not. For example, the following two passphrase "airway ne" and "air wayne" both turn into "airwayne" if you take out the space. But the actural security impact is small. When a passphrase has to be entered into a device without a keyboard, such as a plam top computer, leaving out the spaces may be a good idea.
Whichever way you choose -- spaces or no spaces -- you must always enter your passphrase the same way.
You should change your PGP passphrase whenever you change your PGP key. There is little advantage in changing it more often.
Change your PGP key and your passphrase.
As far as United States law is concerned, a key that is written down can be subpoenaed. As for a key that is memorized, no one seems to knows for sure. There is an interesting paper on this question "Self Incrimination and Cryptographic Keys" by Greg S. Sergienko, 2 RICH. J.L. & TECH. 1 (1996), http://www.urich.edu/~jolt/v2i1/sergienko.html. At one point Sergienko says:
"In Doe v. United States (Doe II), the Court recognized that "be[ing] compelled to reveal the combination to his wall safe" would be testimonial compulsion, but suggested that the key to a strongbox containing incriminating documents would not be." -- "Doe v. United States, 487 U.S. 201, 210 n.9 (1988) (Doe II). The Court had earlier suggested that the privilege could exist with respect to a combination to a safe. Couch v. United States, 409 U.S. 322, 333 & n.16 (1973) (citing United States v. Guterma, 272 F.2d 344 (2d Cir. 1959))."
Sergienko point out that the Government might grant "use immunity" to force you to produce your cryptographic key. He concludes:
"Cryptography may provide a technical fix for Supreme Court decisions allowing the invasion of one's private papers. However, the effectiveness of that fix will depend on whether the Court holds that use immunity from the compulsory production of a cryptographic key extends to the incriminating documents decrypted with the key. Logic suggests that the Court should so hold.
However, the Court's inconsistencies in this area suggest the limits of logic. The Court has consistently reconstructed Fourth and Fifth Amendment precedents to move away from historical practice. This reconstruction is in part responsible for the Court's inconsistencies. ..."
Another good paper on the subject is http://www.law.miami.edu/~froomkin/articles/clipper1.htm#ToC78
These papers appear to be dealing with U.S. criminal law. In a civil case, as I understand it, failure to provide your key could result in a judgement against you.
[I am not a lawyer and cannot give legal advice. See a lawyer if you need legal advice.--agr]
Not that I am aware of. If someone knows of any please let me know and I will be glad to add link to it in the Diceware page. The Diceware instructions themselves are available in Japanese and Chinese.
The lists are PGP signed by Arnold Reinhold, but all you really have to do is inspect it. All words should be in alphabetical order and there should be no duplicates. As long as all the words are different, the list will provide full security. A substantial number of duplicates would have to be introduced to materially weaken the Diceware list's security, so a quick scan of the list is all that is needed.
One way someone might use to find your passphrase is to write a computer program that tries all combinations of characters up to some length. If your Diceware passphrase is very short, such a program would come up with you passphrase eventually. Using a passphrase that is at least 14 characters in length, including the spaces between the words, makes such an attack as difficult as searching all five word Diceware passphrases. By the way, it is very unlikely that the dice will give you a passphrase that short.
If you use a four word passphrase, it should be at least 11 characters in length, including the spaces between the words. For six words, at least 17 characters.
You could just select another word to make the short passphrase longer, but since the passphrase will consist almost entirely of two letter combinations, and therefore will be very hard to remember, I recommend selecting a new passphrase from scratch. Since such short passphrases are very rare, rejecting them does not materially reduce the entropy of the Diceware approach.
Entropy is a measure of the uncertainty or randomness of a system. The concept is a difficult one to grasp fully and is confusing, even to experts. Strictly speaking, any given passphrase has an entropy of zero because it is already chosen. It is the method you use to randomly select your passphrase that has entropy. If an attacker knows, or can guess, the method you used to select your passhrase, than entropy tells how hard it will be to guess the passphrase itself. A passphrase is more secure if it is selected using a method that has more entropy.
Entropy is measured in bits. The outcome of a single coin toss -- "heads or tails" -- has one bit of entropy.
This is an important question that unfortunately does not have an easy answer.
If a passphrase is selected from a universe of N possibilities, where each possibility is equally likely to be chosen, the entropy is log2(N). The symbol "log2" stands for the base-two logarithm. Most calculators don't have a button for base-2 logarithms, but you can easily compute one using the formula:
log2(N)=log(N)/log(2).
If the passphrase is made out of M symbols, each chosen at random from a universe of N possibilities, each equally likely, the entropy is M*log2(N). For example, if you make a passphrase by choosing 10 letters at random, the entropy is 10*log2(26) = 47.0 bits.
If the passphrase is a phrase in a natural language, the problem is much more difficult. There is a famous estimate due to Shannon that the average entropy of written English is about 1.3 bits per letter. See Schneier's Applied Cryptography, 2nd Ed. p.234. However applying this estimate to a passphrase is questionable. People are much more predictable than they think they are. In general, it is very hard to give a good estimate of entropy for a passphrase when any human judgment is involved.
If you really want security, select your passphrase in a way that is truly random. One good way to do this is to use Diceware. The entropy offered by Diceware is 12.9 bits per word (log2(7776)), so a five word passphrase has an entropy of 64.5 bits.
No. Unless you know how the electronics generate the randomness and can evaluate its strength, stick to old fashioned real dice.
Generating truly random numbers using a computer is very tricky. The so called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words. However if you do know what you are doing, have access to a strong method for generating random numbers and really need to generate passphrases using a computer, then, to insure a uniform distribution of words, it is best to using a list of words that is a whole power of two in length. I have created such a list and it is available at: http://world.std.com/~reinhold/diceware8k.txt
To increase the size of the Diceware list to a power of two, I added pairs consisting of a digit and a letter. (e.g. 5t, u3, 8q, etc.) No such pairs are in the original list. If we do not include the digits 1 and 0, which are easily confused with letters, then there are 2*8*26 = 416 such pairs. The present Diceware list has 6**5 = 7776 words. Adding these letter-digit pairs creates a list of 7776 + 416 = 8,192 = 2**13 words.
Yes. Just roll dice twice for each character and then use this table:
1 2 3 4 5 6
S 1 A B C D E F E 2 G H I J K L C 3 M N O P Q R O 4 S T U V W X N 5 Y Z 0 1 2 3 D 6 4 5 6 7 8 9
If you only want letters, roll the dice again when ever you get a digit.
Roll dice twice for each hex digit and then use the following table:
1 2 3 4 5 6
S 1 0 1 2 3 4 5 E 2 6 7 8 9 A B C 3 C D E F 0 1 O 4 2 3 4 5 6 7 N 5 8 9 A B C D D 6 E F * * * *
Roll the dice again when ever you get a *.
Some computer systems insist that a special character be included in your password. Here is how to make them happy. Roll teh dice twice and then use the following table:
1 2 3 4 5 6
S 1 ! @ # $ % ^ E 2 & * ( ) - = C 3 + [ ] { } \ O 4 | ~ ; : ' " N 5 < > / ? . , D 6 ~ _ 3 5 7 9
If you only want special character, roll the dice again when ever you get a digit.
You need to do this if you want to insert one random character in your passphrase for added security, as mentioned in the main Diceware page. Here is how this is done. Pick the column in the table below that corresponds to the number of characters in the chosen word. Then roll one die and look up the number you get on the left hand side of the table. Insert the random character after the selected letter.
2 3 4 5 6
D 1 1 1 1 1 1 I 2 2 2 2 2 2 E 3 1 3 3 3 3 R 4 2 1 4 4 4 O 5 1 2 * 5 5 L 6 2 3 * * 6
Roll the dice again when ever you get a *.
Take three different coins (e.g. a U.S. penny, nickel and dime). Shake them up in a cup and dump them on a surface and then look in the following table to get an equivalent die roll (H = Heads, T = Tails).
D 1 T T T I 2 T T H E 3 T H T R 4 T H H O 5 H T T L 6 H T H L * H H T * H H H
Flip all the coins again when ever you get a *.
[Yes, I know I could make a diceware table indexed by coin tosses. That was my original idea, but 5 dice tosses are a lot more practical for selecting a word than 13 coin tosses. Get some dice.]
Ascii key+ || 08d0a5d961603380e2949d682c 10 Byte IV || bfe8da5c1dec3aba9725d4f689 Ron's No.4 || 40761763d4d38935e8bd8a44bf All u need ==== 4656a7bd7f9ae5d082a30cdfa7 CipherSaber || f21a918d29c5917956d0468eaf |
Arnold G. Reinhold
