keygen tag from Vlad Avdeev on 2009-12-12 (public-html-comments@w3.org from December 2009)

From: Vlad Avdeev <vavdeev@gmail.com>
Date: Sat, 12 Dec 2009 05:23:45 +0100
To: public-html-comments@w3.org
Message-ID: <c9c0044e0912112023i3e0677e7w6a2b8b34d441d487@mail.gmail.com>

RSA is useless for WEB.  An eavesdropper acquire server public key,  client
public key, encrypted password, take a dictionary of passwords, encrypt
every possible passowd and compare result.  There is only one encription
needed to check one password from a dictionary or 30^6 checks to test all up
to 6 character passwords.
There is  RFC 2945 - The SRP Authentication and Key Exchange System .
http://en.wikipedia.org/wiki/Secure_remote_password_protocol

RSA encryption will give a false sense of security to web programmers.

Received on Saturday, 12 December 2009 14:14:34 UTC