Re: Suggestions For The Passing of Passphrases
From: Ari Silversteinn (abcarisilverstein_at_yahoo.comxyz)
Date: 06/08/05
- Next message: Jon A. Solworth: "Re: Public disclosure of discovered vulnerabilities"
- Previous message: Ari Silversteinn: "Re: Suggestions For The Passing of Passphrases"
- In reply to: Alan: "Re: Suggestions For The Passing of Passphrases"
- Next in thread: Alan: "Re: Suggestions For The Passing of Passphrases"
- Reply: Alan: "Re: Suggestions For The Passing of Passphrases"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 8 Jun 2005 17:49:36 -0400
On 8 Jun 2005 14:05:09 -0700, Alan wrote:
> First, I'm assuming the two parties have not prearranged a shared
> secret or protocol. If anything has been prearranged, the passphrase
> could have been communicated in that channel, and there would be many
> ways to proceed.
Correct.
> Therefore, the communication protocol must be negotiated in public, and
> an authenticating piece of information known to both must be agreed
> upon in public. For example, "We'll prove that both uf us know each
> other's mother's maiden name / birthday / etc." Hopefully you would
> use something better than that but you get the idea.
Correct, if they had a private non surveiled channel that was practical,
they would use it.
Although nemo may hook them up :)
> Once that is
> established, Secure Remote Password (SRP) could be used to derive a key
> for securing communications based on each participant's password.
> HOWEVER, an observer will know the type of information agreed upon as
> the password. If the observer knows the identity of the participants
> he might even know the value of the password.
This is correct so if the exchange between A and B is in front of God and
Company, then it would have to be a well kept secret *and* one easily
remembered, tip of the tongue.
> If an observer cannot determine (or gain significant information about)
> the password, I think the protocol is as secure as SRP. The trouble is
> finding a piece of data that both of you know but an observer cannot
> deduce from the negotiation phase.
>
> Alan
I visited this site for SRP and, frankly, it befuzzles me. A and B are
computer savvy but unless I misses something, this requires more than that
to generate SRP and for each of them to be able to handily use it.
Yes?
-- Drop the alphabet for email
- Next message: Jon A. Solworth: "Re: Public disclosure of discovered vulnerabilities"
- Previous message: Ari Silversteinn: "Re: Suggestions For The Passing of Passphrases"
- In reply to: Alan: "Re: Suggestions For The Passing of Passphrases"
- Next in thread: Alan: "Re: Suggestions For The Passing of Passphrases"
- Reply: Alan: "Re: Suggestions For The Passing of Passphrases"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
