when a fraud is a sale, Re: Rubber hose attack
Rick Smith at Secure Computing
rick_smith at securecomputing.com
Tue Nov 6 12:29:44 EST 2001
At 06:48 PM 11/5/2001, David Jablon wrote:
>Yet, strong network-based authentication of people does not require
>complex secret information ... if "complex" means demanding
>at least {64, 80, 128} random bits.
>
>With emerging strong password schemes, your average one-in-a-thousand
>or one-in-a-million kind of secret can do some pretty neat things --
>in some cases with no need at all for stored secrets,
>as in a [SP]EKE password-encrypted chat session.
Definitely true. It would be great to see that technology replace the
relatively vulnerable challenge response hashes used by Microsoft and
others. In general I'm skeptical of protocols that rely entirely on a
memorized secret for remote access security, but the [SP]EKE stuff is
supposed to use the weak secret to bootstrap a strong one without opening a
crack that might allow a dictionary attack on the weak secret. A slick idea.
Rick.
smith at securecomputing.com roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list