Re: migration paradigm (was: Is PGP broken?)

[Rick Smith at Secure Computing]

At 02:43 PM 12/7/00, Peter Fairbrother wrote:

>In WW2 SOE and OSS used original poems which were often pornographic. See
>"Between Silk and Cyanide" by Leo Marks for a harrowing account.

Yes, a terrific book. However, the book also contains an important lesson 
regarding human memory.

Marks was responsible for training agents in crypto procedures to use while 
operating behind enemy lines, and he was also responsible for decrypting 
the messages they sent back. Marks found himself organizing a cryptanalysis 
team (independent of Bletchley) primarily for the purpose of cracking of 
mis-encrypted messages received from their own agents. In short, the agents 
mis-remembered their poems and used their faulty recollection as the basis 
for their encryption.

Now, just how do we intend to address such concerns in our memory-based 
authentication systems? Our whole technology for using memorized secrets is 
built on the belief that people will remember and recite these secrets 
perfectly. Some applications could take more of a 'biometric pattern 
matching' strategy that measures the distance between the actual passphrase 
and a stored pattern. But this won't provide us with a secret we can use in 
crypto applications like PGP.


Rick.
[EMAIL PROTECTED]         roseville, minnesota