Bruce Schneier wrote:
The advantages are that offline password guessing is impossible.
At 03:24 PM 9/22/98 +0100, Ben Laurie wrote:
The 'I' word always makes me nervous - do you really mean that, or do you just mean "very difficult"?
Why be nervous? It's not that hard to prevent off-line guessing of the PIN, given access to just the client's stored data. Here "impossible" means "as hard as breaking your favorite PK method". Here are three ways of authenticating based on PIN + stored key where the stored client data alone doesn't permit offline PIN guessing. These methods are arguably better than using a simplistic PIN-encrypted private key, if you're concerned about the client spilling its data. (1) Send the PIN separately, encrypted by the server's public key. Don't encrypt the private key with the PIN. Make the server verify both PIN and private key to permit a transaction. (2) Use the PIN + stored data to derive the private key, in a way such that any PIN will also generate a valid private key. (3) Verify the PIN (or PIN-derived key) using password-authenticated key exchange. Each of these approaches has other benefits and limitations.
From the posted description, it sounds like Arcot is using (2), where the PIN-encrypted data contains no verifiable plaintext.
------------------------- David P. Jablon dpj@world.std.com <http://world.std.com/~dpj/>