W3C home > Mailing lists > Public > ietf-tls@w3.org > July to September 1996

RE: Passphrases in or out

From: Dan Simon <dansimon@microsoft.com>
Date: Mon, 5 Aug 1996 16:09:56 -0700
Message-ID: <c=US%a=_%p=msft%l=RED-92-MSG-960805230956Z-15802@tide21.microsoft.com>
To: "'ietf-tls@w3.org'" <ietf-tls@w3.org>, "'Steve Petri'" <petri@litronic.com>
>
>From: 	Steve Petri[SMTP:petri@litronic.com]
>
>I have a question for the cryptographers...
>
>The "Shared Key Authentication for the TLS Protocol" paper
>states:
>
>==> In fact, even a challenge-response protocol which never
>==> reveals the password is vulnerable, if a poorly chosen, guessable
>==> password is used; an attacker can obtain the (weakly protected)
>==> transcript of the challenge-response protocol, then attempt to guess the
>==> password, verifying each guess against the transcript.
>
>Would not this same type of attack be possible against the current
>proposal?  It seems to me that if your are not using asymmetric crypto, 
>an eavesdropper would have all required info from the transcript of
>the session to perform this type of an attack.  That is, it doesn't
>matter if the transcript is "weakly protected" or "strongly protected" --
>without asym crypto, the attacker has the same info about the session
>as the valid participants.
>
This is absolutely correct.  Fortunately, the proposal *does* involve
asymmetric crypto--for key exchange.  Once a (strong) key has been
exchanged using asymmetric cryptography, the (as-yet-anonymous) client
and (already-authenticated) server share a fresh, random secret
(presumably) unavailable to the attacker, and can use that secret to
protect the shared-key-based client authentication transcript.


				Daniel Simon
				Cryptographer, Microsoft Corp.
				dansimon@microsoft.com
Received on Monday, 5 August 1996 19:10:20 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:50 EDT