[7132] in www-talk@info.cern.ch
Re: No More Passwords In The Clear in HTTP!
daemon@ATHENA.MIT.EDU (Daniel W. Connolly)
Mon Jan 9 20:31:10 1995
Date: Tue, 10 Jan 1995 02:28:31 +0100
Errors-To: listmaster@www0.cern.ch
Reply-To: connolly@hal.com
From: "Daniel W. Connolly" <connolly@hal.com>
To: Multiple recipients of list <www-talk@www0.cern.ch>
In message <Pine.BSD.3.91.950109121342.19279d-100000@get.wired.com>, Brian Behl
endorf writes:
> Brian
>
>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/
Yikes! Jinks! I asked for a reference to s-key in my p.s.
Brian replies to other issues, but includes the address of
his home-page.
Dan wastes a little time surfing Brian's home-page, and subconsiously
follows these links...
http://www.hotwired.com/Staff/brian/
http://www.hotwired.com/Staff/brian/links.html
http://www.ccs.neu.edu/home/thigpen/index.html
http://www.ccs.neu.edu/home/thigpen/html/interests.html
http://www.ccs.neu.edu/home/thigpen/html/security.html
Which has a handy reference to the S/Key paper from bellcore:
http://www.ccs.neu.edu/home/thigpen/docs/security_papers/ISOC.symp.ps
After reading the S/Key paper, I think we should consider it in place
of the simple challenge/response system.
Advantages of S/Key:
* passwords are _not_ stored on the server side in clear
form.
* user can securely use the same password at different sites
* password can be changed without sending it over the net
Drawbacks:
* server-side passwd database is not read-only: server must
update the user's count of logins each time
* doesn't support the opaque="..." feature of the spyglass proposal
Dan
