W3C home > Mailing lists > Public > public-html-comments@w3.org > December 2009

Re: keygen tag

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sat, 12 Dec 2009 15:33:20 +0100
Message-ID: <4B23A9B0.3090306@telia.com>
To: Vlad Avdeev <vavdeev@gmail.com>
CC: public-html-comments@w3.org
Vlad,

This is not how good protocols work; they rather create high-entry
symmetric keys which are encrypted by public keys, then exchanged
and used for encrypting payloads.

SRP could have been widely used but Lucent killed it by requiring
licenses so it will never be featured in browsers.

Anders

Vlad Avdeev wrote:
> RSA is useless for WEB.  An eavesdropper acquire server public key,  
> client public key, encrypted password, take a dictionary of passwords, 
> encrypt every possible passowd and compare result.  There is only one 
> encription needed to check one password from a dictionary or 30^6 checks 
> to test all up to 6 character passwords.
> There is  RFC 2945 - The SRP Authentication and Key Exchange System .   
> http://en.wikipedia.org/wiki/Secure_remote_password_protocol
>  
> RSA encryption will give a false sense of security to web programmers.
Received on Saturday, 12 December 2009 14:33:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 June 2011 00:14:01 GMT