I'll show you mine if you show me, er, mine
James A. Donald
jamesd at echeque.com
Tue Mar 8 15:25:31 EST 2005
--
> > However, techniques that establish that the parties share a
> > weak secret without leaking that secret have been around
> > for years -- Bellovin and Merritt's DH-EKE, David Jablon's
> > SPEKE. And they don't require either party to send the
> > password itself at the end.
> They are heavily patent laden, although untested last time I
> looked. This has been discouraging to implementers.
There seem to be a shitload of protocols, in addition to SPEKE
and DH-EKE
A password protocol should have the following properties:
1. It should identify both parties to each other, that is to
say, be secure against replay and man in the middle attacks, in
particular, strong against phishing.. It should be secure
against replay and dictionary attacks by an evesdropper or
man-in-the-middle. Such an attacker should be able to no
better than someone who just tries repeatedly to log on to the
server with a guessed password
2. It should be as strong as practical against offline attacks
by the server itself. The server operators, or someone who has
stolen information from them, should not know the users
password, and dictionary attacks should be sufficiently
expensive that a strong password (not your ordinary password)
is secure.
Can anyone suggest a well reviewed, unpatented, protocol that
has the desired properties?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
A8bCmCXDTAX2Syg907T7uRpajs77l9CqLEii+ezP
42zQDcP3xJXtcLPSgCVa55kew+ALkrQ/I50PFm9lC
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list