[4169] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: strong authentication without strong crypto?

daemon@ATHENA.MIT.EDU (Tom Wu)
Mon Feb 8 17:59:07 1999

From: Tom Wu <tjw@CS.Stanford.EDU>
To: cnielsen@pobox.com
Date: Mon, 8 Feb 1999 14:50:31 -0800 (PST)
Cc: David_Conrad@isc.org, cryptography@c2.net
In-Reply-To: <Pine.BSF.4.05.9902041821550.396-100000@ender.sf.scient.com> from "Christopher Nielsen" at Feb 4, 99 06:23:49 pm

Christopher Nielsen writes:
> 
> On Thu, 4 Feb 1999, Christopher Nielsen wrote:
> 
> > On Thu, 4 Feb 1999, David R. Conrad wrote:
> > 
> > > Quick question:  does anyone know of technology or techniques that would
> > > facilitate strong authentication (_not_ encryption) for unattended high
> > > volume electronic transactions and does not require strong crypto along
> > > the lines of DSA or RSA?  Shared secrets are not an option.
> > 
> > For authentication only that requires no crypto, try SRP.
> > 
> > http://srp.stanford.edu/srp/
> 
> Apologies for responding to my own message, but I should qualify what I
> said. A subset of SRP requires no crypto. Read the paper for a better
> explanation.

It isn't obvious what not requiring strong crypto means in the original
requirements, so I don't know what the constraints are.  I will say that
strong authentication protocols like SRP, SPEKE, and EKE all perform
both secure mutual authentication and session key exchange, which enables
but does not require session-layer encryption.  EKE uses symmetric crypto,
while neither SRP nor SPEKE use any symmetric crypto (which was part of
their design goals).  Use SPEKE if both sides share the same password.
Use SRP if the server only needs to store a hashed password/verifier to
authenticate users.
-- 
Tom Wu                        * finger -l tjw@xenon.stanford.edu for PGP key *
 E-mail: tjw@cs.Stanford.EDU  "The pen may be mightier than the sword, but my
  Phone: (650) 723-1565             mouse can crash Windows with one click."
   http://www-cs-students.stanford.edu/~tjw/   http://srp.stanford.edu/srp/
home help back first fref pref prev next nref lref last post