- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Sat, 12 Dec 2009 15:33:20 +0100
- To: Vlad Avdeev <vavdeev@gmail.com>
- CC: public-html-comments@w3.org
Vlad, This is not how good protocols work; they rather create high-entry symmetric keys which are encrypted by public keys, then exchanged and used for encrypting payloads. SRP could have been widely used but Lucent killed it by requiring licenses so it will never be featured in browsers. Anders Vlad Avdeev wrote: > RSA is useless for WEB. An eavesdropper acquire server public key, > client public key, encrypted password, take a dictionary of passwords, > encrypt every possible passowd and compare result. There is only one > encription needed to check one password from a dictionary or 30^6 checks > to test all up to 6 character passwords. > There is RFC 2945 - The SRP Authentication and Key Exchange System . > http://en.wikipedia.org/wiki/Secure_remote_password_protocol > > RSA encryption will give a false sense of security to web programmers.
Received on Saturday, 12 December 2009 14:33:53 UTC