[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: password-based authentication



Hugo,

Regarding my comments on your paper "Public-key Crypto
and Password Protocols", you wrote:

> I think that a technical discussion of the nature you are
> initiating here does not belong to the ipsec list so
> I propose we move it off-line.   [...]

Ok.  I'm sensitive to your concern that my comments were
not mainstream IPSEC-list material, and could have been
taken of context.  I'd like to pursue the technical
discussion, in a more appropriate open forum of your
choice, after Crypto.

In no way did I intend to minimize or downplay your work.
I merely meant to show how a blend of specific pragmatic and
theoretical improvements can extend and complement what
you've done.  My attacks were not specifically directed
at your method, but rather at typical systems
that use (or mis-use) similar methods.

The criticism was indeed orthogonal to the main body
of your paper.  This is why I chose to refine and build
upon, rather than replace, your key agreement scheme.

But you've recast my concerns far too narrowly, and you
seem to downplay what I believe are real, and solvable
problems.  My concern (beyond promoting my own stuff) is
not merely with the "public password" technique, but with
how to verify an uncertified public key.
Or, alternately, how to safely and conveniently
"get things started" without initially relying on a PKI.
Your paper is one of a few to seriously touch on these
issues, and I think the problem merits attention.

I'm curious about the level of interest in password-based
protocols for IPSEC.  Email responses of any kind are welcome.

-- David


At 05:01 PM 8/20/98 +0300, Hugo Krawczyk wrote:
>David,
>
>I think that a technical discussion of the nature you are 
>initiating here does not belong to the ipsec list so 
>I propose we move it off-line.
>
>One remark that I feel is necessary here is that 
>when you write to such a broad (and busy!) audience you should be 
>careful about the way you present these things.
>Anyone taking a glance at your message could easily
>conclude that the long list of problems you mention
>makes our scheme unusable or practically insecure.
>
>That's very much not true.
>All your points talk about a specific aspect of the proposal
>(orthogonal to the main cryptographic schemes), namely, the
>use of public passwords.
>
>You also fail to note that these possible attacks (under a particularly
>negligent implementation and user) require an active attack,
>that such attackers must work hard to succeed in finding a pair of public
>and private keys that hash to the given "slightly modified" public
>password, that even if all this effort by the active attacker succeeds
>it still needs to mount a dictionary attack, and so on and so forth.
>
>As for your proposal, I am willing to check it 
>but not at the expense of adding noise to this busy mailing list.
>One preliminary comment. There are some important properties of our scheme
>that are at danger with your approach: provability and protection
>against server compromise. But let's take this off-line.

Yes.  Addressing these points in detail might be tiresome for
our readers.  But, it's funny ... I too thought there were
some important properties of my schemes that were in danger
of being lost with your approach.

>I will be travelling in the next 10 days, I will be back to this
>after that (if you come to Crypto we may discuss this there)
>
>Hugo

----------------------------
David P. Jablon
dpj@world.std.com
<http://world.std.com/~dpj/>



References: