I'll show you mine if you show me, er, mine

James A. Donald jamesd at echeque.com
Tue Mar 8 15:25:31 EST 2005

> > However, techniques that establish that the parties share a 
> > weak secret without leaking that secret have been around 
> > for years -- Bellovin and Merritt's DH-EKE, David Jablon's 
> > SPEKE. And they don't require either party to send the 
> > password itself at the end.

> They are heavily patent laden, although untested last time I 
> looked. This has been discouraging to implementers.

There seem to be a shitload of protocols, in addition to SPEKE 
and DH-EKE

A password protocol should have the following properties:

1. It should identify both parties to each other, that is to 
say, be secure against replay and man in the middle attacks, in 
particular, strong against phishing.. It should be secure 
against replay and dictionary attacks by an evesdropper or 
man-in-the-middle.  Such an attacker should be able to no 
better than someone who just tries repeatedly to log on to the 
server with a guessed password

2.  It should be as strong as practical against offline attacks 
by the server itself.  The server operators, or someone who has 
stolen information from them, should not know the users 
password, and dictionary attacks should be sufficiently 
expensive that a strong password (not your ordinary password) 
is secure.

Can anyone suggest a well reviewed, unpatented, protocol that 
has the desired properties? 

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list