>Rick Smith at Secure Computing <[EMAIL PROTECTED]> writes:
>>[...] the [SP]EKE stuff is supposed to use the weak
>>secret to bootstrap a strong one without opening a crack that might allow a
>>dictionary attack on the weak secret. A slick idea.
At 07:04 AM 11/11/01 +1300, Peter Gutmann wrote:
>
Nobody is gonna indemnify the world against infringement, but I thought
Stanford's SRP protocol comes as close as realistically possible to what
you're asking for.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
---
Rick Smith at Secure Computing <[EMAIL PROTECTED]> writes:
>At 06:48 PM 11/5/2001, David Jablon wrote:
>>Yet, strong network-based authentication of people does not require
>>complex secret information ... if "complex" means demanding
>>at least {64, 80, 128} random bits.
>>
>>With emerging strong
At 06:48 PM 11/5/2001, David Jablon wrote:
>Yet, strong network-based authentication of people does not require
>complex secret information ... if "complex" means demanding
>at least {64, 80, 128} random bits.
>
>With emerging strong password schemes, your average one-in-a-thousand
>or one-in-a-m
Authentication of people is an especially subtle engineering problem.
Yet, strong network-based authentication of people does not require
complex secret information ... if "complex" means demanding
at least {64, 80, 128} random bits.
With emerging strong password schemes, your average one-in-a-t
but in the financial case ... you don't have to identify them (aka their
DNA) ... you just match them and the account. absolutely no identity
needed. If i deposit a large sum of money and want to be the only person
authorized to transact on the account ... there is no need to present
identity car
not completely. except for some of the "know your customer rules" a
financial institution doesn't have to identify you ... they only have to
authenticate that you are the person authorized to transact with the
account; aka 1) I come in and open a brand-new account and deposit a whole
lot of
At 11:01 AM 11/5/2001, [EMAIL PROTECTED] wrote:
>The problem with all authentication technologies in use today from
>biometrics to PKI to digital certs, all finesse the identification process
>and push it off to some "trusted" third party...all without clearly
>defining what that third party m
In a message dated 11/5/01 11:28:57 AM, [EMAIL PROTECTED] writes:
<< then
you can only 'authenticate' between entities that share some
fairly complex secret information. Anything else can be spoofed
pretty easily. >>
The information does not have to be secret at all. It can be open, but not
c
At 09:49 AM 11/5/2001, [EMAIL PROTECTED] wrote:
>I tend to agree with you that we should extend the meaning
>of end-to-end to mean user-to-user, instead of device or
>token-to-token.
I'm not sure what this means.
If we get really specific, then a transaction between me and
a small used-book sel
In a message dated 11/5/01 10:55:39 AM, [EMAIL PROTECTED] writes:
<< in the account-based financial transaction ... the requestor is the
card-holder/consumer and the authorization or service entity is the
card-holder's financial institution. >>
I think you have nailed it on the head. When authe
Subject: Re: when a fraud is a sale,
Re: Rubber hose attack
In a message dated 11/5/01 9:41:44 AM, [EMAIL PROTECTED]
writes:
<<
12 matches
Mail list logo