added check for weak passphrase using entropy test

2025-12-18 12:20:58 +01:00 · 2015-08-17 20:15:20 +02:00
parent 8fb7369d64
commit 64a45583d0
6 changed files with 928 additions and 771 deletions
--- a/man/details.pod
+++ b/man/details.pod
@@ -286,6 +286,26 @@ B<In short: don NOT use this software for production purposes!>

 =head1 INTERNALS

+=head2 PASSPHRASES
+
+Passphrases are used to protect secret data at rest on various instances
+by pcp, like secret keys or symmetric encrypted data.
+
+Pcp doesn't use the passphrase directly but uses a key derivation function
+to calculate a secure key from the passphrase: libsodium's
+B<crypto_pwhash_scryptsalsa208sha256()> function.
+
+In order to properly protect secret keys, pcp measures the entropy
+of a given passphrase and warns the user about the possible weak
+passphrase. This measurement is calculated using the Claude E. Shannon
+method, where a value of 8.0 means maximum available entropy (e.g.
+truly random 256 chars in no comprehensible order) and 0.0 stands
+for the worst like passphrases like "aaa" or "x".
+
+Pcp considers passphrases with an entropy measurement of 3.32 or higher
+as acceptable. This may change in the future.
+
+
 =head2 VAULT FORMAT

 The vault file contains all public and secret keys. It's a portable