2

The STUN network protocol defines its client authorization in the terms of message-integrity check employing the following scheme [RFC5389, section 10.2]:

$$ \DeclareMathOperator{\HMAC}{HMAC} \DeclareMathOperator*{\SHA}{SHA1} \DeclareMathOperator{\MD}{MD5} \mathrm{MessageIntegrity} = \HMAC_{\SHA}(\MD(k), m), $$ where the key $k$ is defined as the following string concatenation: $$ k = \mathrm{username} :\mathrm{realm}:\mathrm{password} $$ In the above expression both username and realm may be treated as constant ASCII strings known to both the server and client (or any traffic eyedropper). The password, however, is a shared secret and never transmitted in plaintext.

I'm not particularly happy about this scheme, but it's that we have now. What I want is to generate a reliable enough password with as large entropy as possible.

  1. Given that the password may contain only printable ASCII text, what password length would be enough to get a reasonable level of security if each password character is chosen at random?

  2. Let's assume there are only $N$ bits of entropy available to generate the password, $N \approx 80...120$. Is it okay to seed these bits into a PRNG and generate a longer password? What would be the required password length in this case? Is it a good idea to generate a really long password in this case?

Community
  • 1
firegurafiku
  • 145
  • 3

1 Answers1

1

Q1. Each printable ASCII character gives you $\log_2 M$ bits of security where $M$ is the number of printable characters, assuming uniformity and independence between the characters [the second assumption does not hold in natural language].

For ASCII $M=106,$ which gives approximately $6.74$ bits/character, but this is likely to be a massive overestimate of security unless a good randomness source is used to generate the passwords.

Q2. If you want to use limited entropy to generate astronger password you should consider generating a key using a KDF (Key Derivation Function). Have a look at this question and other linked questions from there. Some such schemes are used to derive different passwords/keys for different sites, where the sitename seems to correspond to the message in your case [i.e., it is variable].

kodlu
  • 22,423
  • 2
  • 27
  • 57