This topic contains 4 replies, has 2 voices, and was last updated by Chetan Shah 9 months, 3 weeks ago.
July 8, 2016 at 02:02 #3705
Can I use a hexadecimal key that is 32 digits long (therefore 16 bytes) as my encryption key? I want to make sure it will be interpreted as hex when axcrypt converts it in byte stream. The reason I ask is because if it is interpreted as ASCII character stream then 16 digits of the supplied 32 digits will be ignored for 128 bit encryption thus reducing the key strength.
Please let me know.
ThanksJuly 8, 2016 at 07:44 #3707
Yes, you can use a 32 hexadecimal digits long string as a password.
No, it won’t be interpreted as hex, it’ll be interpreted as a string of characters just like any other password.
However, you misunderstand how this works. Nothing is ignored, and your 32 hexadecimal digits will indeed represent a full 128-bit key, at the very least.July 8, 2016 at 13:17 #3714
Hmm ok, if it is treated as “character” then it will be 256 bit as 32 characters will result in 256 bits and for 128 bit encryption I thought the cipher key should be 128 bit.July 8, 2016 at 14:16 #3715
That’s partially why I added “…at the very least”. The actual strength of the key depends on the number of possible combinations the attacker has to try.
If you ask me “What is the strength of a 32 character password?” My first question back is: what’s a character? Actually it get’s complicated, because it depends on encoding such as US-ASCII, Ansi (in various variations) Unicode (in various variations etc). If we say US-ASCII, that’s 95 possibilities per character. That’s 95^32 number of combinations, equal to 210 bits and change.
However, in your case, the question was “What is the strength of a 32 character hexadecimal string as a password”. Here I now assume that we *know* that it’s a hexadecimal string, and that it’s exactly 32 characters, and that we even know if you’re using upper or lower case A-F. In this case, the strength is exactly 128 bits. If we don’t know if you’re using upper or lowercase, it get’s stronger. If we don’t know if you are using exactly 32 characters, it get’s stronger. How much I leave as an exercise for the reader ;-)
The way AxCrypt works with the password is through a complicated process that adds time to what an attacker has to do in order to try a given password, and also ensures that regardless of if you enter 10 characters or a thousand, we still use them all as best we can and input exactly 128 or 256 bits to the underlying encryption algorithm.
You might want to Google “password based key derivation” for more info. Wikipedia is a good place to start to read about the function AxCrypt uses: https://en.wikipedia.org/wiki/PBKDF2 . AxCrypt currently uses PBKDF2-HMAC-SHA-512 with a 1000 iterations. This is not extremely high, since we then use another iterative keywrap for the actual file key.July 8, 2016 at 14:22 #3717
Excellent! I appreciate you taking time to clarify this for me. Again, I have been using Axcrypt for about 5 years now and am very satisfied with the product. You guys have done an awesome job in developing this software.