David Jablon wrote:
Bruce Schneier wrote:
The advantages are that offline password guessing is impossible.
At 03:24 PM 9/22/98 +0100, Ben Laurie wrote:
The 'I' word always makes me nervous - do you really mean that, or do you just mean "very difficult"?
Why be nervous? It's not that hard to prevent off-line guessing of the PIN, given access to just the client's stored data. Here "impossible" means "as hard as breaking your favorite PK method".
Which is: a) not impossible b) not proven to be as difficult as we think it is (cf. quantum computers, novel factorisation methods). That's why. Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: ben@algroup.co.uk | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/ WE'RE RECRUITING! http://www.aldigital.co.uk/