I'll show you mine if you show me, er, mine
James A. Donald
jamesd at echeque.com
Wed Feb 23 13:15:31 EST 2005
--
On 24 Feb 2005 at 2:29, Peter Gutmann wrote:
> Isn't this a Crypto 101 mutual authentication mechanism (or
> at least a somewhat broken reinvention of such)? If the
> exchange to prove knowledge of the PW has already been
> performed, why does A need to send the PW to B in the last
> step? You either use timestamps to prove freshness or add an
> extra message to exchange a nonce and then there's no need to
> send the PW. Also in the above B is acting as an oracle for
> password-guessing attacks, so you don't send back the
> decrypted text but a recognisable-by-A encrypted response, or
> garbage if you can't decrypt it, taking care to take the same
> time whether you get a valid or invalid message to avoid
> timing attacks. Blah blah Kerberos blah blah done twenty
> years ago blah blah a'om bomb blah blah.
>
> (Either this is a really bad idea or the details have been
> mangled by the Register).
It is a badly bungled implementation of a really old idea.
An idea, which however, was never implemented on a large scale,
resulting in the mass use of phishing attacks.
Mutual authentication and password management should have been
designed into SSH/PKI from the beginning, but instead they
designed it to rely wholly on everyone registering themselves
with a centralized authority, which of course failed.
SSH/PKI is dead in the water, and causing a major crisis on
internet transactions. Needs fixing - needs to be fixed by
implementing cryptographic procedures that are so old that they
are in danger of being forgetten.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Dn3N69hcbr+mL/HUTw8OhGtKmD9rHYOMN4NTBkIY
47AOCXrb7e35xm5QBsHbFVr/jfm+XwTUvzdiytKpG
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list