----- Original Message ----- From: "James A. Donald" <[EMAIL PROTECTED]> To: <[email protected]>; <[EMAIL PROTECTED]> Sent: Wednesday, March 09, 2005 4:25 AM [...] > > > However, techniques that establish that the parties share a > > > weak secret without leaking that secret have been around > > > for years -- Bellovin and Merritt's DH-EKE, David Jablon's > > > SPEKE. And they don't require either party to send the > > > password itself at the end. > > > They are heavily patent laden, although untested last time I > > looked. This has been discouraging to implementers. > > There seem to be a shitload of protocols, in addition to SPEKE > and DH-EKE > > A password protocol should have the following properties: > > 1. It should identify both parties to each other, that is to > say, be secure against replay and man in the middle attacks, in > particular, strong against phishing.. It should be secure > against replay and dictionary attacks by an evesdropper or > man-in-the-middle. Such an attacker should be able to no > better than someone who just tries repeatedly to log on to the > server with a guessed password > > 2. It should be as strong as practical against offline attacks > by the server itself. The server operators, or someone who has > stolen information from them, should not know the users > password, and dictionary attacks should be sufficiently > expensive that a strong password (not your ordinary password) > is secure. > > Can anyone suggest a well reviewed, unpatented, protocol that > has the desired properties?
SRP ? It's patented, but available under a royalty-free BSD-style license: http://srp.stanford.edu/license.txt . Enzo --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
