At 7:39 AM -0500 9/22/98, Bruce Schneier wrote:
At 02:28 PM 9/22/98 +0100, Mok-Kong Shen wrote:
Bruce Schneier wrote:
At 02:20 PM 9/22/98 +0100, Mok-Kong Shen wrote:
If the 'mathematical magic' is not to be kept secret (as in principle shouldn't for all crypto algorithms) then presumably one could attack through brute forcing the 'remembered secrect', I guess.
Yes, but only through an on-line protocol. And if the server has some kind of "turn the user off after ten bad password guesses," then the atack doesn't work.
I remember someone wrote of the case where the attacker got the file with the millions of passwords. Then if he also knows the 'mathematical magic' he could presumably do offline work. So I suppose that the 'mathematical magic' has to be kept secret, which would work against the generally accepted crypto principles.
No. The online protocol can be public. Nothing has to be kept secret in order for this to work. That would be stupid; we all know that.
Also, that things are kept secret/unpublished NOW doesn't mean that they won't be released when the product ships. Not knowing anything about this company, they may have seen a novel way to put existing tools/methods together, and are doing Q/A, interface, and marketing work, and don't want to publicize their methods _yet_ because they COULD be beat to market by a product that has less documentation/Testing/etc. If they seem willing to release the algorythm, and essential parts of the source code, they might have at least a bit of a clue, if Mr. Schneier is willing to bet reputation capital on it, I'd be hesitant to cry "Snake oil". At least the first time. -- petro@playboy.com----for work related issues. I don't speak for Playboy. petro@bounty.org-----for everthing else. They wouldn't like that. They REALLY Economic speech IS political speech. wouldn't like that.