W3C home > Mailing lists > Public > ietf-tls@w3.org > October to December 1996

Re: Closing on shared-key authentication

From: Steve Petri <petri@litronic.com>
Date: Mon, 07 Oct 1996 14:07:54 -0700
Message-Id: <3259712A.2852@litronic.com>
To: Win Treese <treese@OpenMarket.com>
Cc: ietf-tls@w3.org
Win Treese wrote:
> 
> I'd like to close on the question of including shared-key
> authentication in TLS. There has been little discussion
> of the latest proposal from Barbara Fox, but I think we
> went over the arguments pretty thoroughly a few weeks
> ago.

Is the latest proposal still vulnerable to this type of an attack:

	- Given a server with TLS/passauth and no attack detection
	- Attacker uses dictionary attack against an account, 
	  re-trying the Handshake with a dictionary of 65000 
	  commonly used passphrases

If the user's passphrase exists in the dictionary, then the effective
security seems to be "16 bits" rather than "128 bits".



-- 
Steve Petri					petri@litronic.com
Litronic, Inc.					http://www.litronic.com
Received on Monday, 7 October 1996 17:08:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:17:12 UTC