ArcotSign (was Re: Does security depend on hardware?)
David Jablon
dpj at world.std.com
Tue Sep 22 07:50:41 PDT 1998
Bruce Schneier wrote:
>> The advantages are that offline password guessing is impossible.
At 03:24 PM 9/22/98 +0100, Ben Laurie wrote:
> The 'I' word always makes me nervous - do you really mean that, or do
> you just mean "very difficult"?
Why be nervous? It's not that hard to prevent off-line
guessing of the PIN, given access to just the client's stored
data. Here "impossible" means "as hard as breaking your
favorite PK method".
Here are three ways of authenticating based on PIN + stored key
where the stored client data alone doesn't permit offline PIN
guessing. These methods are arguably better than using a
simplistic PIN-encrypted private key, if you're concerned
about the client spilling its data.
(1) Send the PIN separately, encrypted by the server's public key.
Don't encrypt the private key with the PIN. Make the server
verify both PIN and private key to permit a transaction.
(2) Use the PIN + stored data to derive the private key,
in a way such that any PIN will also generate a valid
private key.
(3) Verify the PIN (or PIN-derived key) using
password-authenticated key exchange.
Each of these approaches has other benefits and limitations.
>From the posted description, it sounds like Arcot is using (2),
where the PIN-encrypted data contains no verifiable plaintext.
-------------------------
David P. Jablon
dpj at world.std.com
<http://world.std.com/~dpj/>
More information about the cypherpunks-legacy
mailing list