I'll show you mine if you show me, er, mine

[Kwai Chang Caine]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

* "James A. Donald" <jamesd at echeque.com> [2005-03-08 12:25 -0800]:
> > > However, techniques that establish that the parties share a 
> > > weak secret without leaking that secret have been around 
> > > for years -- Bellovin and Merritt's DH-EKE, David Jablon's 
> > > SPEKE. And they don't require either party to send the 
> > > password itself at the end.
> 
> > They are heavily patent laden, although untested last time I 
> > looked. This has been discouraging to implementers.
> 
> There seem to be a shitload of protocols, in addition to SPEKE 
> and DH-EKE

These are classed as 'strong password protocols', and include protocols
like SRP (implemented in cyrus sasl I think, but not used commercially
anywhere that I know of - sure cyrus sasl is, but those that use is
typically only support a couple of authentication methods, and SRP isn't
one of them) and PDM (Password Derived Moduli).

They have in common the use of Diffie-Hellman exchange, or slightly
modified versions of it.

> A password protocol should have the following properties:
> 
> 1. It should identify both parties to each other, that is to 
> say, be secure against replay and man in the middle attacks, in 
> particular, strong against phishing.. It should be secure 
> against replay and dictionary attacks by an evesdropper or 
> man-in-the-middle.  Such an attacker should be able to no 
> better than someone who just tries repeatedly to log on to the 
> server with a guessed password
> 
> 2.  It should be as strong as practical against offline attacks 
> by the server itself.  The server operators, or someone who has 
> stolen information from them, should not know the users 
> password, and dictionary attacks should be sufficiently 
> expensive that a strong password (not your ordinary password) 
> is secure.

I'm not sure how the DH aspect plays into these properties.  These
protocols all exist in an 'augmented' form (except SRP which has no
other form) which adds the property that ownership of the server
database does not facilitate impersonation.  That seems sufficient.

> Can anyone suggest a well reviewed, unpatented, protocol that 
> has the desired properties? 

SRP, augmented PDM, both are good and unpatented, but SPEKE claims
dominion over all of them.  Despite the fact that DH-EKE predates it,
and DH is the foundational technology.  Thus, most people think the
patent is silly nonsense, but are unwilling to test it by (say)
including full SRP support in a popular and successful software product.

Of course, my assumptions about there being no such products are exactly
that.  If there are such products I would be very interested to hear
about them.

...

BTW, in case it isn't obvious, as I wrote this mail I was referencing
the Kaufman, Perlman and Speciner 'Network Security' book for
verification.  I had a close encounter with the politics of this
patent a couple of years ago though, and have directly observed its
chilling effect.


salaam-shalom                                 2005-03-08 @ 13:28 -0800
- -- 
G. Hopper, there were a thousand subterfuges   = 353
2048R/49AFAFC8  472B 0E78 FCD8 41C1 172B  11F6 90E1 0E2A 49AF AFC8
JID: caine at unstable.nl
-----BEGIN PGP SIGNATURE-----

iQEVAwUBQi4ZpJDhDipJr6/IAQqjqAf+MeCDsc8XOUKPkhIcWOj8B+Nck8cIbYYD
SKayJ25dhJiCdm7qzzyydL0hzqb4Jlre8WE+IxU9RZXYbfw6d8XV0kU27LMjRHIm
+ppn/yo54wOVBp2lq7TLw5Wjurn4Uo8Ltestt7tdCzEgn4bPrs0c3grMQLBaEZzb
axQAOszUfV3UNjz/zURnOz/AuvNYbSeJXqdq5OkRtP7Cyyb5mtfLZ+X1odCWZ4xW
7tGAS8N6RhDtC303lbgINxcrbQdUxhatVRWR2n1uCa58rWxbmO2s1DpvE4NfQTNR
f/2K59Of1lExfW09boPKgLmpY8ghSBMhZB3biAON/VH5f0hjFlo4+Q==
=Aw9j
-----END PGP SIGNATURE-----