[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RESEND: Thoughts on identity attacks
At 01:41 PM 2/12/02 -0800, Dan Harkins wrote:
>On Tue, 12 Feb 2002 12:34:17 PST Khaja wrote
>> I meant shared secrets not shared password.
>
> If that's what you meant then you shouldn't have written "shared password".
>But please explain the difference anyway. [...]
I'm pretty sure that Dan was asking a rhetorical question here.
But it is a point of common confusion.
To help, I propose the following definitions, based on observed common usage:
shared [secret] password:
a low-entropy secret authenticator.
shared [secret] key:
a high-entropy cryptographic secret.
shared secret:
a key that was probably derived from a password, but used in
a cryptographic system in which there is misplaced hope that
the secret truly does have high entropy.
I think this, plus the ambiguity argument, makes a good case for
"shared secret" to be deprecated.
-- David