Rick Smith at Secure Computing [EMAIL PROTECTED] writes:
At 06:48 PM 11/5/2001, David Jablon wrote:
Yet, strong network-based authentication of people does not require
complex secret information ... if complex means demanding
at least {64, 80, 128} random bits.
With emerging strong password schemes, your average one-in-a-thousand
or one-in-a-million kind of secret can do some pretty neat things --
in some cases with no need at all for stored secrets,
as in a [SP]EKE password-encrypted chat session.
Definitely true. It would be great to see that technology replace the
relatively vulnerable challenge response hashes used by Microsoft and others.
In general I'm skeptical of protocols that rely entirely on a memorized secret
for remote access security, but the [SP]EKE stuff is supposed to use the weak
secret to bootstrap a strong one without opening a crack that might allow a
dictionary attack on the weak secret. A slick idea.
... contained within a minefield of patents and IP restrictions, which is
killing its use. What would be necessary is either for someone (presumably
with any army of lawyers to back them up) to state that a particular (sound)
scheme was free of any IP restrictions, or for one or more of the groups with
patents to state they'd allow everyone royalty-free use. As it is at the
moment, it's just too risky to do anything. Even if someone has a technology
which they claim is unencumbered, others may claim that they have some patent
which covers it, or the situation is unclear enough to scare off companies who
are afraid of lawsuits. As a result, no-one can do anything.
Peter.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
