[9788] in cryptography@c2.net mail archive
Re: when a fraud is a sale, Re: Rubber hose attack
daemon@ATHENA.MIT.EDU (Rick Smith at Secure Computing)
Fri Nov 9 16:14:26 2001
Message-Id: <5.1.0.14.0.20011106111850.02139e70@STPNTMX03.sctc.com>
Date: Tue, 06 Nov 2001 11:29:44 -0600
To: David Jablon <dpj@world.std.com>, cryptography@wasabisystems.com
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
In-Reply-To: <5.1.0.14.0.20011105193108.00a6ade0@pop.theworld.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 06:48 PM 11/5/2001, David Jablon wrote:
>Yet, strong network-based authentication of people does not require
>complex secret information ... if "complex" means demanding
>at least {64, 80, 128} random bits.
>
>With emerging strong password schemes, your average one-in-a-thousand
>or one-in-a-million kind of secret can do some pretty neat things --
>in some cases with no need at all for stored secrets,
>as in a [SP]EKE password-encrypted chat session.
Definitely true. It would be great to see that technology replace the
relatively vulnerable challenge response hashes used by Microsoft and
others. In general I'm skeptical of protocols that rely entirely on a
memorized secret for remote access security, but the [SP]EKE stuff is
supposed to use the weak secret to bootstrap a strong one without opening a
crack that might allow a dictionary attack on the weak secret. A slick idea.
Rick.
smith@securecomputing.com roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
