- From: David P. Kemp <dpkemp@missi.ncsc.mil>
- Date: Fri, 7 Feb 1997 09:22:18 -0500
- To: ietf-tls@w3.org
TLS folks, FYI. ----- Begin Included Message ----- From owner-pkcs-tng@RSA.COM Thu Feb 6 18:57:21 1997 X-Sender: dpj@world.std.com Date: Thu, 06 Feb 1997 18:52:04 -0500 To: pkcs-tng@RSA.COM From: "David P. Jablon" <dpj@world.std.com> Subject: Strong password authentication I'd like to propose that PKCS TNG include a spec. for strong password authentication. Recently there have been several proposed standards for password authentication that are demonstrably weak against dictionary attack. This perpetuates a longstanding problem, one of the largest obstacles to making memorized secrets a valuable factor in authentication. It is a fact that strong password methods have existed since 1992. Beginning with Bellovin & Merritt's EKE family, through to my more recent work on SPEKE, there are clearly password methods that are immune to the unconstrained network dictionary attack. If anyone is interested in collaborating on such a PKCS proposal, or perhaps an informational IETF RFC to try to prevent further backsliding, feel free to respond to the list or to me directly. -- David Jablon ------------------------------------ David P. Jablon Integrity Sciences, Inc. Westboro, MA Tel: +1 508 898 9024 http://world.std.com/~dpj/ E-mail: dpj@world.std.com ----- End Included Message -----
Received on Friday, 7 February 1997 09:23:10 UTC