- From: Dan Simon <dansimon@microsoft.com>
- Date: Mon, 5 Aug 1996 16:09:56 -0700
- To: "'ietf-tls@w3.org'" <ietf-tls@w3.org>, "'Steve Petri'" <petri@litronic.com>
> >From: Steve Petri[SMTP:petri@litronic.com] > >I have a question for the cryptographers... > >The "Shared Key Authentication for the TLS Protocol" paper >states: > >==> In fact, even a challenge-response protocol which never >==> reveals the password is vulnerable, if a poorly chosen, guessable >==> password is used; an attacker can obtain the (weakly protected) >==> transcript of the challenge-response protocol, then attempt to guess the >==> password, verifying each guess against the transcript. > >Would not this same type of attack be possible against the current >proposal? It seems to me that if your are not using asymmetric crypto, >an eavesdropper would have all required info from the transcript of >the session to perform this type of an attack. That is, it doesn't >matter if the transcript is "weakly protected" or "strongly protected" -- >without asym crypto, the attacker has the same info about the session >as the valid participants. > This is absolutely correct. Fortunately, the proposal *does* involve asymmetric crypto--for key exchange. Once a (strong) key has been exchanged using asymmetric cryptography, the (as-yet-anonymous) client and (already-authenticated) server share a fresh, random secret (presumably) unavailable to the attacker, and can use that secret to protect the shared-key-based client authentication transcript. Daniel Simon Cryptographer, Microsoft Corp. dansimon@microsoft.com
Received on Monday, 5 August 1996 19:10:20 UTC