Re: Shared Secret Authentication

David P. Jablon <> wrote:

>> Earlier threads on this list seem to have focused debate on
>> weak methods for password/passphrase/shared-secret authentication.
>> Methods that are immune to unconstrained dictionary attack
>> have been around since 1992, from Bellovin & Merritt's EKE family
>> of protocols, to the SPEKE method developed by myself.
>> I find it curious that the debate has settled down upon
>> demonstrably weaker alternatives, as in the current drafts.
>> I would suggest that the passauth-00.txt "Addition of
>> Shared Key Authentication" document be modified to use
>> strong password authentication.  Presenting weak password
>> authentication as an alternative to strong public-key
>> methods seems sloppy. (David P. Kemp) wrote:

> I believe that the earlier thread contained implications that the
> Bellovin & Merritt technique might be encumbered by intellectual
> property restrictions.
> Is the SPEKE method covered by any patents, B-M, your own, or others?
> If SPEKE is both demonstrably stronger than Dan Simon's proposal
> *and* unencumbered, then by all means submit a draft for our consideration.
> If it is not, it will probably fall pretty low on the priority list of
> work items.

Open debate must first focus on technical merit.
The IETF and working group members clearly feel that strength
comes first, and patent issues are secondary, as is demonstrated
by the repeated endorsement of patented PK methods (RSA, DH, etc.).
Otherwise all standards would degrade to second-rate technology.

SPEKE is not covered by the B&M patents, and B&M is not encumbered
by the pending SPEKE patent.  So at least you have a "second source"
which forces reasonable terms even without IETF's required
patent policy statement.  Both SPEKE and DH-EKE, like many good PK
methods are covered by the Diffie-Hellman patent, till Sept. '97.
And you're free to look for other strong methods that might
not be covered by either B&M or SPEKE.  So far I've seen little
evidence of a search for strong password methods in the earlier
discussion, perhaps because so few knew that these exist.

> The One-Time-Password working group made it's distaste for encumbered
> technology "patently" clear (sorry :-) at the December IETF - choosing
> to reject both a method patented by Bull and an alternative patented by
> Bellcore.
> The TLS working group also expressed concern about using patented
> compression technology from Hi-Fn (Stac), although it may be possible
> to implement the proposed compression method in a non-infringing way.

These are bad comparisons.  When EQUALLY STRONG unpatented
alternatives exist, of course you want to use them.  But
debate over whether or not to use public-key encryption
should never be BLOCKED by the fact that most good PK methods
(RSA, Diffie-Hellman, etc.) are patented.
David P. Jablon
Integrity Sciences, Inc.
Westboro, MA
Tel: +1 508 898 9024

Received on Friday, 7 February 1997 11:37:26 UTC