[2171] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (Mike Rosing)
Tue Feb 24 12:25:45 1998
Date: Tue, 24 Feb 1998 09:36:39 -0600 (CST)
From: Mike Rosing <cryptech@Mcs.Net>
cc: cryptography@c2.net
In-Reply-To: <Version.32.19980223130031.00d97930@shell11.ba.best.com>
On Mon, 23 Feb 1998, James A. Donald wrote:
> The change password, or set password program generates a
> private key by hashing the password, and sends the
> corresponding public key to the server, encrypting it using
> DH.
>
> Dictionary attack is prevented because this public key is not
> public. It is known only to the server, and momentarily
> known to the login program.
This is called an "ephemeral key" in the P1363 draft. if used
with a "permenent key" you get authentication and forward security.
>
> Server now knows, not the password, but a fact about the
> password.
[...]
Right. The MQV protocol is a nice one for this (but it might be patented
:( ) The public key of each user is used along with an ephemeral key to
generate a shared secret. the private key can be a pass phrase, and
there's no reason to transmit a login token. BUT, it requires
computational ability at the remote end, AND the login routine has to be
redone to accept it.
There are an aweful lot of login routines that have to be rewritten. No
matter what protocol is used. Where should we start? :-)
Patience, persistence, truth,
Dr. mike
