Let us say I have a volume encrypted under LUKS with a 512-bit key. That would mean there are 2 ^ 512 possible values which the key may be.
Now I need a passphrase which is at least as resistant to brute force as the actual 512-bit volume encryption key. Correct me if my assumptions below are wrong, all numeric values are used for mathematical example only:
Let's say my passphrase is generated by base64 encoding random input and therefore the keyspace for my passphrase is 64 characters. So in order for my passphrase to be at least as strong as the volume encryption key then there need to be at least 2 ^ 512 possible combinations within the length of the passphrase. This can be expressed as:
(size_of_keyspace) ^ number_of_characters >= 2 ^ (size_of_key)
So for this example of a volume key size of 512 and a passphrase keyspace of 64 then the minimum number of characters my passphrase should be in order to be at least as secure as the volume key would be 86.
Is this logic correct or is there some drawbacks I should be aware of? Any other recommendations which can be offered along the lines of this question?
My reasoning for this is that there is no inherent benefit of having a passphrase which is stronger than the actual payload key itself -- someone brute forcing my drive is ultimately trying to crack my encryption key, not my passphrase. If my passphrase is stronger than the encryption key then an attacker can brute force the encryption key faster than they can the passphrase. Is this correct or is there some benefit to having a passphrase which is stronger than the encryption key, maybe as a resource drain for an attacker who doesn't diversify their methods well enough?
Aucun commentaire:
Enregistrer un commentaire