[2161] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Feb 23 18:37:55 1998
Date: Mon, 23 Feb 1998 13:31:30 -0800
To: Mike Rosing <cryptech@Mcs.Net>, Marc Horowitz <marc@cygnus.com>
From: "James A. Donald" <jamesd@echeque.com>
Cc: Marcus Leech <Marcus.Leech.mleech@nt.com>, EKR <ekr@terisa.com>,
cryptography@c2.net
In-Reply-To: <Pine.BSF.3.95.980223092444.7872A-100000@Mars.mcs.net>
--
At 09:40 AM 2/23/98 -0600, Mike Rosing wrote:
> I agree with Marcus, SRP doesn't solve the login problem
> any better than PKC can, assuming you use ECC. Training
> people to login with pass phrases instead of pass words is
> going to take a long time, but where it is really necessary
> it will happen first.
It is trivial to use ECC (or any log based public key
system) to make login passwords invulnerable to sniffers or
to dictionary attacks.
The change password, or set password program generates a
private key by hashing the password, and sends the
corresponding public key to the server, encrypting it using
DH.
Dictionary attack is prevented because this public key is not
public. It is known only to the server, and momentarily
known to the login program.
Server now knows, not the password, but a fact about the
password.
On login, user's login program asks the user for his password
generates secret key, throws away password, sends message to
server with a digitally signed symmetric message key,
encrypted using DH, throws away secret key.
Server recognizes the public key of the signature as
belonging to someone with certain access privileges, grants
access.
An attacker who has been sniffing the line has no information
on which to conduct a dictionary attack. The only way to
conduct a dictionary attack is to get the server's list of
public keys.
Or he could attempt to login by randomly guessing passwords,
but each guess has to be tried on the server, and after a few
hundred guesses, it will be obvious that the server is under
attack.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
xMObnLpXPHHoq6s1P7DFIqxG53qV6+HWYAoDdPZi
4tW8iSHW9u64O2c+pq4p76ioi4UFhIVdxxPwBV1s4
