1998-09-21 - Re: ArcotSign (was Re: Does security depend on hardware?)

Header Data

From: Bruce Schneier <schneier@counterpane.com>
To: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message Hash: 0c0b35c2127d6e2d6ca9cd775a706287ec437e69b6ca20bc6a42ce80225dc998
Message ID: <199809221222.HAA27732@mixer.visi.com>
Reply To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
UTC Datetime: 1998-09-21 23:21:19 UTC
Raw Date: Tue, 22 Sep 1998 07:21:19 +0800

Raw message

From: Bruce Schneier <schneier@counterpane.com>
Date: Tue, 22 Sep 1998 07:21:19 +0800
To: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
Message-ID: <199809221222.HAA27732@mixer.visi.com>
MIME-Version: 1.0
Content-Type: text/plain



At 02:20 PM 9/22/98 +0100, Mok-Kong Shen wrote:
>Bruce Schneier wrote:
>> 
>> At 12:48 PM 9/22/98 +0100, Mok-Kong Shen wrote:
>> >Bruce Schneier wrote:
>
>> >> He uses a remembered secret and some mathematical magic.
>> >
>> >Another naive question: Why is the remembered secret not sufficient
>> >(thus doing away with the magic)?
>> 
>> One of the significant improvements is that the scheme is immune to
>> offline password guessing attacks.
>
>If the 'mathematical magic' is not to be kept secret (as in principle
>shouldn't for all crypto algorithms) then presumably one could
>attack through brute forcing the 'remembered secrect', I guess.

Yes, but only through an on-line protocol.   And if the server has some
kind of "turn the user off after ten bad password guesses," then the
atack doesn't work.

>(I suppose the 'remembered secret' has less bits then the 'password'
>that is to be retrieved from the pool of millions with the
>'mathematical magic'). So the advantages of the scheme appear to
>remain unclear as a matter of principle.

The advantages are that offline password guessing is impossible.

Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems     Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN  55419      Fax: 612-823-1590
           Free crypto newsletter.  See:  http://www.counterpane.com

Thread

• Return to September 1998

• Return to “Adam Shostack <adam@homeport.org>”
• Return to “Ben Laurie <ben@algroup.co.uk>”
• Return to ““Bernardo B. Terrado” <bbt@mudspring.uplb.edu.ph>”
• Return to “bram <bram@gawth.com>”
• Return to “Bruce Schneier <schneier@counterpane.com>”
• Return to “David Jablon <dpj@world.std.com>”
• Return to “Douglas Hoover <doug@arcot.com>”
• Return to ““Kriston J. Rehberg” <kriston@ibm.net>”
• Return to “Lucky Green <shamrock@cypherpunks.to>”
• Return to “Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>”
• Return to “Petro <petro@playboy.com>”
• Return to “proff@iq.org”
• Return to “Ryan Lackey <rdl@MIT.EDU>”
• Return to “Tim May <tcmay@got.net>”

• Return to ““Todd S. Glassey” <TSGman@earthlink.net>”

• Unknown thread root
  • 1998-09-19 (Sat, 19 Sep 1998 15:37:04 +0800) - ArcotSign (was Re: Does security depend on hardware?) - Ryan Lackey <rdl@MIT.EDU>
    • 1998-09-20 (Sun, 20 Sep 1998 11:43:59 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Lucky Green <shamrock@cypherpunks.to>
      • 1998-09-20 (Mon, 21 Sep 1998 05:28:19 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
        • 1998-09-21 (Mon, 21 Sep 1998 10:47:42 +0800) - RE: ArcotSign (was Re: Does security depend on hardware?) - “Todd S. Glassey” <TSGman@earthlink.net>
        • 1998-09-21 (Mon, 21 Sep 1998 11:55:38 +0800) - RE: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
        • 1998-09-21 (Mon, 21 Sep 1998 15:15:04 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - bram <bram@gawth.com>
          • 1998-09-21 (Tue, 22 Sep 1998 01:59:00 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 04:47:56 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
            • 1998-09-22 (Tue, 22 Sep 1998 23:42:35 +0800) - what is… - “Bernardo B. Terrado” <bbt@mudspring.uplb.edu.ph>
          • 1998-09-21 (Tue, 22 Sep 1998 06:06:11 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 06:26:50 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:18:24 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 07:21:19 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:26:46 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
            • 1998-09-22 (Tue, 22 Sep 1998 10:03:42 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Petro <petro@playboy.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:42:36 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:45:43 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 07:48:11 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-22 (Tue, 22 Sep 1998 08:25:45 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-22 (Tue, 22 Sep 1998 09:24:22 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Ben Laurie <ben@algroup.co.uk>
          • 1998-09-22 (Tue, 22 Sep 1998 12:01:33 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
            • 1998-09-22 (Tue, 22 Sep 1998 12:38:31 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - proff@iq.org
            • 1998-09-22 (Tue, 22 Sep 1998 16:43:28 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-22 (Tue, 22 Sep 1998 12:02:21 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-22 (Tue, 22 Sep 1998 22:50:41 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - David Jablon <dpj@world.std.com>
          • 1998-09-22 (Wed, 23 Sep 1998 01:23:05 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-22 (Wed, 23 Sep 1998 01:37:38 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - “Kriston J. Rehberg” <kriston@ibm.net>
          • 1998-09-22 (Wed, 23 Sep 1998 02:11:14 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Tim May <tcmay@got.net>
          • 1998-09-22 (Wed, 23 Sep 1998 03:59:58 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Ben Laurie <ben@algroup.co.uk>
          • 1998-09-22 (Wed, 23 Sep 1998 07:08:47 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
            • 1998-09-23 (Wed, 23 Sep 1998 13:10:16 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - bram <bram@gawth.com>
        • 1998-09-21 (Mon, 21 Sep 1998 16:30:36 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
        • 1998-09-21 (Mon, 21 Sep 1998 19:56:02 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Douglas Hoover <doug@arcot.com>
    • 1998-09-20 (Mon, 21 Sep 1998 05:25:42 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Adam Shostack <adam@homeport.org>