- From: Daniel W. Connolly <connolly@hal.com>
- Date: Mon, 09 Jan 1995 16:11:50 -0600
- To: Brian Behlendorf <brian@wired.com>
- Cc: www-talk@info.cern.ch, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
In message <Pine.BSD.3.91.950109121342.19279d-100000@get.wired.com>, Brian Behl endorf writes: > Brian > >--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/ Yikes! Jinks! I asked for a reference to s-key in my p.s. Brian replies to other issues, but includes the address of his home-page. Dan wastes a little time surfing Brian's home-page, and subconsiously follows these links... http://www.hotwired.com/Staff/brian/ http://www.hotwired.com/Staff/brian/links.html http://www.ccs.neu.edu/home/thigpen/index.html http://www.ccs.neu.edu/home/thigpen/html/interests.html http://www.ccs.neu.edu/home/thigpen/html/security.html Which has a handy reference to the S/Key paper from bellcore: http://www.ccs.neu.edu/home/thigpen/docs/security_papers/ISOC.symp.ps After reading the S/Key paper, I think we should consider it in place of the simple challenge/response system. Advantages of S/Key: * passwords are _not_ stored on the server side in clear form. * user can securely use the same password at different sites * password can be changed without sending it over the net Drawbacks: * server-side passwd database is not read-only: server must update the user's count of logins each time * doesn't support the opaque="..." feature of the spyglass proposal Dan
Received on Monday, 9 January 1995 14:23:38 UTC