I'll show you mine if you show me, er, mine

Enzo Michelangeli em at em.no-ip.com
Mon Mar 14 20:26:06 EST 2005

----- Original Message ----- 
From: "James A. Donald" <jamesd at echeque.com>
To: <cryptography at metzdowd.com>; <cypherpunks at al-qaeda.net>
Sent: Wednesday, March 09, 2005 4:25 AM
> > > However, techniques that establish that the parties share a
> > > weak secret without leaking that secret have been around
> > > for years -- Bellovin and Merritt's DH-EKE, David Jablon's
> > > SPEKE. And they don't require either party to send the
> > > password itself at the end.
> > They are heavily patent laden, although untested last time I
> > looked. This has been discouraging to implementers.
> There seem to be a shitload of protocols, in addition to SPEKE
> and DH-EKE
> A password protocol should have the following properties:
> 1. It should identify both parties to each other, that is to
> say, be secure against replay and man in the middle attacks, in
> particular, strong against phishing.. It should be secure
> against replay and dictionary attacks by an evesdropper or
> man-in-the-middle.  Such an attacker should be able to no
> better than someone who just tries repeatedly to log on to the
> server with a guessed password
> 2.  It should be as strong as practical against offline attacks
> by the server itself.  The server operators, or someone who has
> stolen information from them, should not know the users
> password, and dictionary attacks should be sufficiently
> expensive that a strong password (not your ordinary password)
> is secure.
> Can anyone suggest a well reviewed, unpatented, protocol that
> has the desired properties?

SRP ? It's patented, but available under a royalty-free BSD-style license:
http://srp.stanford.edu/license.txt .


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list