Strong password authentication

TLS folks, FYI.

----- Begin Included Message -----

From owner-pkcs-tng@RSA.COM Thu Feb  6 18:57:21 1997
Date: Thu, 06 Feb 1997 18:52:04 -0500
To: pkcs-tng@RSA.COM
From: "David P. Jablon" <>
Subject: Strong password authentication

I'd like to propose that PKCS TNG include a spec. for
strong password authentication.

Recently there have been several proposed standards for
password authentication that are demonstrably weak against
dictionary attack.  This perpetuates a longstanding problem,
one of the largest obstacles to making memorized secrets a
valuable factor in authentication.

It is a fact that strong password methods have existed since 1992.
Beginning with Bellovin & Merritt's EKE family, through to my
more recent work on SPEKE, there are clearly password methods
that are immune to the unconstrained network dictionary attack.

If anyone is interested in collaborating on such a PKCS proposal,
or perhaps an informational IETF RFC to try to prevent further
backsliding, feel free to respond to the list or to me directly.

-- David Jablon
David P. Jablon
Integrity Sciences, Inc.
Westboro, MA
Tel: +1 508 898 9024

----- End Included Message -----

Received on Friday, 7 February 1997 09:23:10 UTC