RE: Passphrases in or out

>From: 	Steve Petri[]
>I have a question for the cryptographers...
>The "Shared Key Authentication for the TLS Protocol" paper
>==> In fact, even a challenge-response protocol which never
>==> reveals the password is vulnerable, if a poorly chosen, guessable
>==> password is used; an attacker can obtain the (weakly protected)
>==> transcript of the challenge-response protocol, then attempt to guess the
>==> password, verifying each guess against the transcript.
>Would not this same type of attack be possible against the current
>proposal?  It seems to me that if your are not using asymmetric crypto, 
>an eavesdropper would have all required info from the transcript of
>the session to perform this type of an attack.  That is, it doesn't
>matter if the transcript is "weakly protected" or "strongly protected" --
>without asym crypto, the attacker has the same info about the session
>as the valid participants.
This is absolutely correct.  Fortunately, the proposal *does* involve
asymmetric crypto--for key exchange.  Once a (strong) key has been
exchanged using asymmetric cryptography, the (as-yet-anonymous) client
and (already-authenticated) server share a fresh, random secret
(presumably) unavailable to the attacker, and can use that secret to
protect the shared-key-based client authentication transcript.

				Daniel Simon
				Cryptographer, Microsoft Corp.

Received on Monday, 5 August 1996 19:10:20 UTC