Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:03
EKR (ekr@rtfm.com)
14 Jan 1999 09:05:44 -0800
"James A. Donald" <jamesd@echeque.com> writes:
> --
> At 10:16 PM 1/13/99 -0800, James A. Donald wrote:
> > > [...] So all this great encryption is used to merely
> > > prove possession of a shared four digit secret. Oh wow!
>
> At 09:55 AM 1/14/99 -0500, David Jablon wrote:
> > Presuming sarcasm on your part, I disagree. You've raised
> > legitimate questions about when and where PK encryption is
> > necessary. Personally, I see no greater purpose for PK
> > encryption than to protect personal and shared secrets,
> > both large and tiny.
>
> But if we have a shared secret, then in principle we do not
> need PK, and if we have permanent public keys, we do not need
> a four digit shared secret.
James, I think you're missing David's point here.
I'll try to rephrase.
A short shared secret like a PIN is too small to use
alone, either for purposes of authentication or MEK
generation. Attempts to do so lead to protocols which
are vulnerable to off-line dictionary attack. (And
off-line attack on a 4-digit numeric PIN is trivial).
In order to bootstrap a PIN into securely generated
keying material, you need to use public-key style
cryptomath, with similar performance consequences.
David, of course can speak more authoritatively
about the performance of the various (SPEKE, EKE, etc.
methods) but they're definitely slower than straight
symmetric crypto, and require more round trips.
-Ekr
-- [Eric Rescorla ekr@rtfm.com]
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:03