> > 3. Verify that the server is who you think it is (via the public key)
> > (client can now trust server)
> > 4. Pass an encrypted token to the client (encrypted with client password)
A classic, and amateur-level mistake. You should NEVER hand out
something encrypted with a user's password to anyone who asks. Cf.
KerberosIV. :) Using the steps above, the server is now quite
courteously helping an adversary with an off-line dictionary attack.
> This kind of ad hoc
> thinking by amateurs never results in a protocol worthy of deployment.
All too true. In fact, it usually results in protocols that should be
spiked through the heart but unfortunately escape, the undead, to
torment the truly security conscious.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
