On Mon, 21 Sep 1998, Nick Szabo wrote:
I have consulted at both DigiCash and Arcot. I am still under nondisclosure to Arcot, so I can't answer any questions about this that go beyond the publicly available information. Arcot has recently made available on their public web site "Software Smart Cards via Cryptographc Camouflage", at http://www.arcot.com/camo2.html. At the end of this paper is referenced Rivest's "Chaffing and Winnowing" paper. These give a good overview of how such a technology can work, and the scope of its application.
I'm certainly not a cryptographer, but I'm somewhat at a loss in trying to understand the purpose of using public-key (or asymmetric key) cryptography within a policy/technology system which won't allow the use of the strengths of asymmetric key crypto. As I understand the paper you reference above, to implement this system the public key must be kept confidential, and signed documents must also be kept confidential, or the system of the security as a whole is at risk. With those constraints, why bother with the overhead (computationally/technically/legally) of asymmetric key crypto at all? It seems like much of the security in the system described above comes from the server/other party's ability to thwart brute-force attacks by detecting and responding to multiple failed attempts at authentication; that seems like a very good thing, but not really a strength or a weakness of the protocol itself, but an additional practice/protocol which is useful in many contexts. Is it really necessary/useful to call the scheme "software smart cards"? If it were called "An improved system for user authentication", I don't think it would make people nearly so suspicious. From my perspective, one of the advantages of smart card technology is that I can carry my authentication material with me; a system which puts it on my hard disk is less attractive. Floppies are portable, but not durable. I didn't understand the relationship between this scheme and Rivest's chaffing and winnowing which you note was cited as a reference in the SSC paper - would you (or someone else) mind explaining the connection? The closest I can get is thinking that there's a parallel between trying to guess which PIN in the SSC system is valid and which isn't, and the "winnowing" part of the Rivest protocol; but that doesn't seem like an especially meaningful or illuminating relationship. It looks like maybe a footnote was dropped, which would've tied the Rivest paper to a particular passage in the paper. -- Greg Broiles gbroiles@netbox.com