Re: RESEND: Thoughts on identity attacks

[David Jablon <dpj@world.std.com>]

At 01:41 PM 2/12/02 -0800, Dan Harkins wrote:
>On Tue, 12 Feb 2002 12:34:17 PST Khaja wrote
>> I meant shared secrets not shared password.
>
>  If that's what you meant then you shouldn't have written "shared password".
>But please explain the difference anyway. [...]

I'm pretty sure that Dan was asking a rhetorical question here.
But it is a point of common confusion.

To help, I propose the following definitions, based on observed common usage:

        shared [secret] password:
                a low-entropy secret authenticator.

        shared [secret] key:
                a high-entropy cryptographic secret.

        shared secret:
                a key that was probably derived from a password, but used in
                a cryptographic system in which there is misplaced hope that
                the secret truly does have high entropy.

I think this, plus the ambiguity argument, makes a good case for
"shared secret" to be deprecated.

-- David