On Tue, Mar 25, 2014 at 10:58:32AM +0000, Edward Ned Harvey (lopser) wrote: > > From: Chase Hoffman [mailto:driftpeas...@driftpeasant.org] > > > > How does this compare to Steve Gibson's SQRL? > > Well, there's basically no similarity. They're both alternatives to sending > your password to a server, and the similarity ends there. > > In CBcrypt, the servername, username, and password are all combined to create > a site-specific, user-specific, password-specific keypair, a keypair that is > deterministically recreatable by anyone who can combine those ingredients > together (which requires knowing your password.) Only the username and > public component are sent to the server. There is no need for any keychain > manager or clientside app, as this can all be done in javascript, java, .NET, > or whatever. The only thing a user needs to carry with them is knowledge of > their own secret password, which is never disclosed to anyone, but *is* > securely verifiable nonetheless.
I'll happily confess that cryptography is a field I haven't spent much time looking at, and I might also be misinterpreting what you're saying, but it seems odd to be generating a keypair based one two pieces of publicly identifiable information, and a password, the latter of which have a tendency to be insecure. For example, if we're talking about twitter's main account you know that it's "twitter.com","twitter" and.. say.. "foo bar". In which case why bother with the first two, everyone knows what they are? Paul _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
