[926] in cryptography@c2.net mail archive
Re: DES cracking is making real progress
daemon@ATHENA.MIT.EDU (David P. Jablon)
Fri May 30 12:35:37 1997
Date: Fri, 30 May 1997 09:58:13 -0400
To: Steven Bellovin <smb@research.att.com>, Jyri Kaljundi <jk@stallion.ee>
From: "David P. Jablon" <dpj@world.std.com>
Cc: Phil Karn <karn@qualcomm.com>, frantz@netcom.com, cryptography@c2.net
In-Reply-To: <199705292239.SAA15654@raptor.research.att.com>
On Thu, 29 May 1997, Phil Karn wrote:
> Here in Estonia the largest bank was using a system in their telebanking
> (both modem and Internet) service, where all the data between the client
> and server was encrypted using IDEA 128-bit keys, that's strong, isn't it.
> [...snip...] The only thing that the bank user had to enter when beginning
> the session was their 6-digit one-time password (actually even worse, it
> was number from 1 to 999999). So what they did was probably
> IDEAkey=md5hash(password) so they got 128-bit key from 6-digit number
> (should be 2^20 or so).
At 06:39 PM 5/29/97 -0400, Steven Bellovin replied:
>This can be done very securely, if used in conjunction with Diffie-Hellman.
>See, for example, ftp://ftp.research.att.com/dist/smb/neke.ps. (Of
>course, perhaps they weren't doing it that way...)
>
>Briefly -- and read the paper for more details, and be aware that the
>scheme is patented -- you use the 6-digit PIN to encrypt each half of
>a Diffie-Hellman exchange. Among other properties, it's immune to
>password-guessing attacks. (Some of the variants described in that
>paper have since been attacked successfully, in the sense that they
>don't provide as much protection as intended. There was a paper at
>the 1997 Oakland symposium describing these results. But using
>Diffie-Hellman and encrypting both sides is still safe, if the
>probablistic padding isn't used.)
Another site that discusses password-authenticated key exhange
with links to several recent papers is at: http://world.std.com/~dpj/
My Oct. '96 ACM CCR paper also discusses why both sides
need to encrypt the exponentials in DH-EKE, and why neither
side encrypts in SPEKE.
------------------------------------
David P. Jablon
Tel: +1 508 898 9024
http://world.std.com/~dpj/
E-mail: dpj@world.std.com
