Re: I'll show you mine if you show me, er, mine
--
However, techniques that establish that the parties share a weak secret without leaking that secret have been around for years -- Bellovin and Merritt's DH-EKE, David Jablon's SPEKE. And they don't require either party to send the password itself at the end.
They are heavily patent laden, although untested last time I looked. This has been discouraging to implementers.
There seem to be a shitload of protocols, in addition to SPEKE and DH-EKE A password protocol should have the following properties: 1. It should identify both parties to each other, that is to say, be secure against replay and man in the middle attacks, in particular, strong against phishing.. It should be secure against replay and dictionary attacks by an evesdropper or man-in-the-middle. Such an attacker should be able to no better than someone who just tries repeatedly to log on to the server with a guessed password 2. It should be as strong as practical against offline attacks by the server itself. The server operators, or someone who has stolen information from them, should not know the users password, and dictionary attacks should be sufficiently expensive that a strong password (not your ordinary password) is secure. Can anyone suggest a well reviewed, unpatented, protocol that has the desired properties? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG A8bCmCXDTAX2Syg907T7uRpajs77l9CqLEii+ezP 42zQDcP3xJXtcLPSgCVa55kew+ALkrQ/I50PFm9lC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 * "James A. Donald" <jamesd@echeque.com> [2005-03-08 12:25 -0800]:
However, techniques that establish that the parties share a weak secret without leaking that secret have been around for years -- Bellovin and Merritt's DH-EKE, David Jablon's SPEKE. And they don't require either party to send the password itself at the end.
They are heavily patent laden, although untested last time I looked. This has been discouraging to implementers.
There seem to be a shitload of protocols, in addition to SPEKE and DH-EKE
These are classed as 'strong password protocols', and include protocols like SRP (implemented in cyrus sasl I think, but not used commercially anywhere that I know of - sure cyrus sasl is, but those that use is typically only support a couple of authentication methods, and SRP isn't one of them) and PDM (Password Derived Moduli). They have in common the use of Diffie-Hellman exchange, or slightly modified versions of it.
A password protocol should have the following properties:
1. It should identify both parties to each other, that is to say, be secure against replay and man in the middle attacks, in particular, strong against phishing.. It should be secure against replay and dictionary attacks by an evesdropper or man-in-the-middle. Such an attacker should be able to no better than someone who just tries repeatedly to log on to the server with a guessed password
2. It should be as strong as practical against offline attacks by the server itself. The server operators, or someone who has stolen information from them, should not know the users password, and dictionary attacks should be sufficiently expensive that a strong password (not your ordinary password) is secure.
I'm not sure how the DH aspect plays into these properties. These protocols all exist in an 'augmented' form (except SRP which has no other form) which adds the property that ownership of the server database does not facilitate impersonation. That seems sufficient.
Can anyone suggest a well reviewed, unpatented, protocol that has the desired properties?
SRP, augmented PDM, both are good and unpatented, but SPEKE claims dominion over all of them. Despite the fact that DH-EKE predates it, and DH is the foundational technology. Thus, most people think the patent is silly nonsense, but are unwilling to test it by (say) including full SRP support in a popular and successful software product. Of course, my assumptions about there being no such products are exactly that. If there are such products I would be very interested to hear about them. ... BTW, in case it isn't obvious, as I wrote this mail I was referencing the Kaufman, Perlman and Speciner 'Network Security' book for verification. I had a close encounter with the politics of this patent a couple of years ago though, and have directly observed its chilling effect. salaam-shalom 2005-03-08 @ 13:28 -0800 - -- G. Hopper, there were a thousand subterfuges = 353 2048R/49AFAFC8 472B 0E78 FCD8 41C1 172B 11F6 90E1 0E2A 49AF AFC8 JID: caine@unstable.nl -----BEGIN PGP SIGNATURE----- iQEVAwUBQi4ZpJDhDipJr6/IAQqjqAf+MeCDsc8XOUKPkhIcWOj8B+Nck8cIbYYD SKayJ25dhJiCdm7qzzyydL0hzqb4Jlre8WE+IxU9RZXYbfw6d8XV0kU27LMjRHIm +ppn/yo54wOVBp2lq7TLw5Wjurn4Uo8Ltestt7tdCzEgn4bPrs0c3grMQLBaEZzb axQAOszUfV3UNjz/zURnOz/AuvNYbSeJXqdq5OkRtP7Cyyb5mtfLZ+X1odCWZ4xW 7tGAS8N6RhDtC303lbgINxcrbQdUxhatVRWR2n1uCa58rWxbmO2s1DpvE4NfQTNR f/2K59Of1lExfW09boPKgLmpY8ghSBMhZB3biAON/VH5f0hjFlo4+Q== =Aw9j -----END PGP SIGNATURE-----
participants (2)
-
James A. Donald -
Kwai Chang Caine