[17067] in cryptography@c2.net mail archive
Re: I'll show you mine if you show me, er, mine
daemon@ATHENA.MIT.EDU (Enzo Michelangeli)
Tue Mar 15 10:42:03 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Enzo Michelangeli" <em@em.no-ip.com>
To: <cryptography@metzdowd.com>
Cc: "James A. Donald" <jamesd@echeque.com>
Date: Tue, 15 Mar 2005 09:26:06 +0800
----- Original Message -----
From: "James A. Donald" <jamesd@echeque.com>
To: <cryptography@metzdowd.com>; <cypherpunks@al-qaeda.net>
Sent: Wednesday, March 09, 2005 4:25 AM
[...]
> > > However, techniques that establish that the parties share a
> > > weak secret without leaking that secret have been around
> > > for years -- Bellovin and Merritt's DH-EKE, David Jablon's
> > > SPEKE. And they don't require either party to send the
> > > password itself at the end.
>
> > They are heavily patent laden, although untested last time I
> > looked. This has been discouraging to implementers.
>
> There seem to be a shitload of protocols, in addition to SPEKE
> and DH-EKE
>
> A password protocol should have the following properties:
>
> 1. It should identify both parties to each other, that is to
> say, be secure against replay and man in the middle attacks, in
> particular, strong against phishing.. It should be secure
> against replay and dictionary attacks by an evesdropper or
> man-in-the-middle. Such an attacker should be able to no
> better than someone who just tries repeatedly to log on to the
> server with a guessed password
>
> 2. It should be as strong as practical against offline attacks
> by the server itself. The server operators, or someone who has
> stolen information from them, should not know the users
> password, and dictionary attacks should be sufficiently
> expensive that a strong password (not your ordinary password)
> is secure.
>
> Can anyone suggest a well reviewed, unpatented, protocol that
> has the desired properties?
SRP ? It's patented, but available under a royalty-free BSD-style license:
http://srp.stanford.edu/license.txt .
Enzo
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
