On Mon, 13 Mar 2006, Jeremy Bishop wrote: > I suggest "password-authenticated key agreement" as a starting point for > research outside the traditional public-key methods. (Although, as far > as I can tell, it would require the "password" to be accessible to the > server so that the session can be set up. IOW, you get around the > problems of trusting a cert, but you're back to storing passwords in > plaintext.)
A moderate dose of modular exponentiation magic can overcome the need to store plaintext passwords on the server. See SRP <http://srp.stanford.edu/> et al. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
