Re: password salting

---

• From: "Valery Pryamikov" <valery@xxxxxxxxx>
• Date: 13 Aug 2006 00:35:56 -0700

---

SSL is much better in this context. unauthenticated D/H is vulnerable
to the man-in-the middle, while SSL is not.

-Valery.
http://www.harper.no/valery


William Stacey [MVP] wrote:

But it could be. You could auth with the server using a well-known account
just to get a session-key to encrypt the username.

--
William Stacey [MVP]

"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message
news:1155373883.048419.11160@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| Anonymous and server authenticated connection in this context is just a
| SSL/TLS connection (which is not authenticated with SRP). ;-).
|
| -Valery.
| http://www.harper.no/valery
|
| William Stacey [MVP] wrote:
| > | In SRP the password is unknown. When password is known it is not SRP,
| > | but a variant of D/H. That is btw a part of security proof of SRP -
| >
| > This is what I mean:
| >
| > http://www.ietf.org/internet-drafts/draft-ietf-tls-srp-12.txt
| >
| > "The client's user name is sent in the clear in the Client Hello
| > message. To avoid sending the user name in the clear, the client
| > could first open a conventional anonymous, or server-authenticated
| > connection, then renegotiate an SRP-authenticated connection with the
| > handshake protected by the first connection."
| >
| > --
| > William Stacey [MVP]
|

.

---

• Follow-Ups:
  • Re: password salting
    • From: William Stacey [MVP]

• References:
  • Re: password salting
    • From: Joe Kaplan \(MVP - ADSI\)
  • Re: password salting
    • From: Rob R. Ainscough
  • Re: password salting
    • From: Joe Kaplan \(MVP - ADSI\)
  • Re: password salting
    • From: William Stacey [MVP]
  • Re: password salting
    • From: Joe Kaplan \(MVP - ADSI\)
  • Re: password salting
    • From: William Stacey [MVP]
  • Re: password salting
    • From: Joe Kaplan \(MVP - ADSI\)
  • Re: password salting
    • From: William Stacey [MVP]
  • Re: password salting
    • From: William Stacey [MVP]
  • Re: password salting
    • From: Valery Pryamikov
  • Re: password salting
    • From: William Stacey [MVP]
  • Re: password salting
    • From: Valery Pryamikov
  • Re: password salting
    • From: William Stacey [MVP]
  • Re: password salting
    • From: Valery Pryamikov
  • Re: password salting
    • From: William Stacey [MVP]

• Prev by Date: Re: Is e-mail from Microsoft?
• Next by Date: How to SELECT records based upon ASP.NET Roles
• Previous by thread: Re: password salting
• Next by thread: Re: password salting
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: password salting ... You could auth with the server using a well-known account ... William Stacey [MVP] ... | SSL/TLS connection. ... | William Stacey wrote: ... (microsoft.public.dotnet.security) Re: Test Availability of TCP Port? ... > Using Async accept with a delegate or one thread per connection examples? ... > William Stacey, MVP ... Queue... ... (microsoft.public.dotnet.framework) Re: password salting ... SSL/TLS connection (which is not authenticated with SRP). ... William Stacey [MVP] wrote: ... (microsoft.public.dotnet.security) Re: TIF.what is the optimum disk space to allow? ... However even for dial-up a setting of over 2 gb is vastly excessive. ... With your broadband connection I would suggest that reduce the setting ... On-Line Help Computer Service ... In memory of a dear friend Alex Nichol MVP ... (microsoft.public.windowsxp.general) Re: Disadvantages/Cons of web services? ... >> William Stacey, MVP ... >>>> is the best part as XML, Soap, and WS-xx are all standards. ... >>>>> XML web services in real industry standard applications? ... (microsoft.public.dotnet.framework.webservices)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.security  > 2006-08