Re: Passphrases in or out

Bennet Yee wrote:
> Protocols only specify the messages sent over the wire.  The
> vulnerability to dictionary attacks, unfortunately, is independent of
> this -- active on-line attacks, where the server is actually being
> probed, -can- be detected by the server implementation, but such an
> implementation requirement is outside the scope of a protocol
> standard; off-line attacks where protocol messages are eavesdropped
> and then used to determine the key in a separate computation, much as
> brute-force key searches are done with known-plaintext attacks, are
> completely separated from both protocol specifications as well as
> implementation specifications.

At the Montreal meeting (in reference to the flexibility of the SSH proposal)
someone commented that the protocol should not allow the implementor to 
"do bad things".  I agree with this, because many implementors don't have
the time or cryptographic expertise to consider all angles of attack.

Given that, it is misleading to state that (with the passauth proposal)
your passwords are protected with 128 bit crypto, when in reality a
server without attack detection, combined with a user whose password
is in a dictionary of 65000 commonly used passwords, effectively
has 16 bit crypto protection.

A security system is only as strong as its weakest link.  Again, I'm no
cryptographer, but it seems to me that this channel of attack does not
exist if passphrases are disallowed in TLS.

Steve Petri
Litronic Industries				(714)545-6649

Received on Wednesday, 7 August 1996 16:58:50 UTC