ArcotSign (was Re: Does security depend on hardware?)
Mok-Kong Shen
mok-kong.shen at stud.uni-muenchen.de
Mon Sep 21 17:25:45 PDT 1998
Bruce Schneier wrote:
>
> >I suppose you misunderstood me. I mean the 'mathematical magic'
> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
> >If the 'magic' is public then the attacker with the pool of passwords
> >could brute force offline.
>
> No. You misunderstood me. There is NOTHING secret except the key.
> The online protocol, mathematical magic, source code, algorithm details,
> and everything else can be made public. There are no secrets in the
> system except for the keys.
In that case please allow me to go back to a point raised by me
previously. The user uses his 'remembered secret' (of fewer bits)
through a public algorithm (including protocol) to retrieve from a
pool the password (of more bits). If the attacker doesn't have the
pool then everything looks fine. But if he manages to get the pool
(a case someone mentioned in this thread) then he can obviously
brute force offline, I believe, since he possesses now everything
the legitimate user has, excepting the 'remembered secret'. Or is
there anything wrong with my logic?
M. K. Shen
More information about the cypherpunks-legacy
mailing list