[7074] in cryptography@c2.net mail archive
Re: Automatic passphrase generation
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu May 11 17:03:12 2000
From: "Steven M. Bellovin" <smb@research.att.com>
To: Paul Crowley <paul@cluefactory.org.uk>
Cc: Rick Smith <rick_smith@securecomputing.com>,
"Sergio Tabanelli" <sergio.tabanelli@fst.it>, cryptography@c2.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 11 May 2000 15:44:24 -0400
Message-Id: <20000511194424.C2BB735DC2@smb.research.att.com>
In message <87wvl1cyum.fsf@hedonism.subnet.hedonism.cluefactory.org.uk>, Paul C
rowley writes:
>Rick Smith <rick_smith@securecomputing.com> writes:
>> If you can control the risk of off-line attacks (i.e. theft of the password
>> file) then attackers are stuck performing on-line attacks. The system under
>> attack can usually detect on-line attacks and take countermeasures to
>> reduce the risk of a successful penetration.
>>
>> A related strategy is to combine the simple secret with a larger, more
>> random secret. But this provides better security only if you can keep
>> attackers from stealing the larger secret. One approach is to embed the
>> larger secret inside a tamper resistant device like a smart card, and set
>> up a protocol that doesn't allow the secret to leak out. But there's still
>> the challenge of protecting the copy of the secret stored on the server.
>
>The SRP authors (http://srp.stanford.edu/) suggest that SRP can be
>enhanced such that the server knows neither secret, only a verifier
>for the secrets. This means you have to extract the secret from the
>smartcard itself.
Mike Merritt and I described such a mechanism in our A-EKE paper,
http://www.research.att.com/~smb/papers/aeke.ps (or .pdf), several
years earlier. Briefly, use a DSA public key as the shared secret for
EKE (http://www.research.att.com/~smb/papers/neke.ps or .pdf), then
send an additional message from the client that uses the private key to
sign a random value, perhaps the negotiated key.
>
--Steve Bellovin
