1998-09-22 - Re: ArcotSign (was Re: Does security depend on hardware?)

Header Data

From: David Jablon <dpj@world.std.com>
To: Ben Laurie <schneier@counterpane.com>
Message Hash: 156feebde5a8121e9861171156ca4c5fbf88f92ccd608f1337f44446f2b47670
Message ID: <3.0.5.32.19980922235214.00804100@world.std.com>
Reply To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
UTC Datetime: 1998-09-22 14:50:41 UTC
Raw Date: Tue, 22 Sep 1998 22:50:41 +0800

Raw message

From: David Jablon <dpj@world.std.com>
Date: Tue, 22 Sep 1998 22:50:41 +0800
To: Ben Laurie <schneier@counterpane.com>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
Message-ID: <3.0.5.32.19980922235214.00804100@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain



Bruce Schneier wrote:
>> The advantages are that offline password guessing is impossible.

At 03:24 PM 9/22/98 +0100, Ben Laurie wrote:
> The 'I' word always makes me nervous - do you really mean that, or do
> you just mean "very difficult"?

Why be nervous?  It's not that hard to prevent off-line
guessing of the PIN, given access to just the client's stored
data.  Here "impossible" means "as hard as breaking your
favorite PK method".

Here are three ways of authenticating based on PIN + stored key
where the stored client data alone doesn't permit offline PIN
guessing.  These methods are arguably better than using a
simplistic PIN-encrypted private key, if you're concerned
about the client spilling its data.

(1)	Send the PIN separately, encrypted by the server's public key.
	Don't encrypt the private key with the PIN.  Make the server
	verify both PIN and private key to permit a transaction.

(2)	Use the PIN + stored data to derive the private key,
	in a way such that any PIN will also generate a valid
	private key.

(3)	Verify the PIN (or PIN-derived key) using
	password-authenticated key exchange.

Each of these approaches has other benefits and limitations.
>From the posted description, it sounds like Arcot is using (2),
where the PIN-encrypted data contains no verifiable plaintext.

-------------------------
David P. Jablon
dpj@world.std.com
<http://world.std.com/~dpj/>





Thread