Bruce Schneier (schneier@counterpane.com)
Tue, 22 Sep 1998 07:39:26 -0500
At 02:28 PM 9/22/98 +0100, Mok-Kong Shen wrote:
>Bruce Schneier wrote:
>>
>> At 02:20 PM 9/22/98 +0100, Mok-Kong Shen wrote:
>
>> >If the 'mathematical magic' is not to be kept secret (as in principle
>> >shouldn't for all crypto algorithms) then presumably one could
>> >attack through brute forcing the 'remembered secrect', I guess.
>>
>> Yes, but only through an on-line protocol. And if the server has some
>> kind of "turn the user off after ten bad password guesses," then the
>> atack doesn't work.
>
>I remember someone wrote of the case where the attacker got the
>file with the millions of passwords. Then if he also knows the
>'mathematical magic' he could presumably do offline work. So I
>suppose that the 'mathematical magic' has to be kept secret, which
>would work against the generally accepted crypto principles.
No. The online protocol can be public. Nothing has to be kept secret
in order for this to work. That would be stupid; we all know that.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:14:00