Authentication of people is an especially subtle engineering problem. Yet, strong network-based authentication of people does not require complex secret information ... if "complex" means demanding at least {64, 80, 128} random bits.
With emerging strong password schemes, your average one-in-a-thousand or one-in-a-million kind of secret can do some pretty neat things -- in some cases with no need at all for stored secrets, as in a [SP]EKE password-encrypted chat session. Password-based techniques is one of the subjects being addressed by the IEEE P1363 working group, and the apparently successful job of a number of schemes, some of which are listed here: http://grouper.ieee.org/groups/1363/StudyGroup/submissions.html (But please don't ask me how this relates to "Rubber hoses".) At 11:24 AM 11/5/01 -0600, Rick Smith wrote: >If we look at authentication as an engineering problem, then >you can only 'authenticate' between entities that share some >fairly complex secret information. Anything else can be spoofed >pretty easily. I don't think it's practical to speak of strong, >network based authentication between 'users' unless we tie them >to physical devices that store those secrets (private keys, etc.). (See comments above.) >Of course, this distinction simply illustrates the gap between >our policy objectives (authenticate particular roles and/or >entities) versus the available tools (verify ownership of hard >to forge credentials). I definitely agree that the "gap" is huge in most systems. >Rick. >[EMAIL PROTECTED] roseville, minnesota >"Authentication" in bookstores http://www.visi.com/crypto/ -- David --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]