Passcodes: Keys, Passphases, PIN and Passwords

🔓Unlock …

Passcodes refers to PINs, secret nonces, keys, passwords, passphases etc.

Key Usage Caveats

Key generation must come from a random source

Each key obtained from a reliable random source to ensure that the keys generated are independent from each other. If the key is to be generated from a software or PRNG, the PRNG must be a PRF acceptable by NIST.

Recommended:
- It is recommended to generate the keys from a certified RNG within a hardware tampered device such as a HSM or smartcard, etc.
- Run randomness test suites to assure high entropy of key generation.
Caveat: Strong keys are not easy to be produced. e.g. Though GPG has been around for almost 20 years, there are only ~50,000 keys in the “strong set, and less than 4 million keys have ever been published to the SKS keyserver pool. In perspective, the strong set makes up only ~ 1.25% of the published keys.

Ensure sufficient key length.

Refer to guidelines establishing rough equivalences between symmetric- and public-key key sizes.

* FIPS 200, Minimum Security Requirements for Federal Information and Information Systems requires…