1998-09-21 - Re: ArcotSign (was Re: Does security depend on hardware?)

Header Data

From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
To: Bruce Schneier <schneier@counterpane.com>
Message Hash: 637ae66592cfd9921750ace7eec1b567a3a766b6b6b80d346668949667e0f982
Message ID: <360797EF.A979141A@stud.uni-muenchen.de>
Reply To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
UTC Datetime: 1998-09-21 23:26:46 UTC
Raw Date: Tue, 22 Sep 1998 07:26:46 +0800

Raw message

From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Date: Tue, 22 Sep 1998 07:26:46 +0800
To: Bruce Schneier <schneier@counterpane.com>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
Message-ID: <360797EF.A979141A@stud.uni-muenchen.de>
MIME-Version: 1.0
Content-Type: text/plain



Bruce Schneier wrote:
> 
> At 02:20 PM 9/22/98 +0100, Mok-Kong Shen wrote:

> >If the 'mathematical magic' is not to be kept secret (as in principle
> >shouldn't for all crypto algorithms) then presumably one could
> >attack through brute forcing the 'remembered secrect', I guess.
> 
> Yes, but only through an on-line protocol.   And if the server has some
> kind of "turn the user off after ten bad password guesses," then the
> atack doesn't work.

I remember someone wrote of the case where the attacker got the
file with the millions of passwords. Then if he also knows the
'mathematical magic' he could presumably do offline work. So I
suppose that the 'mathematical magic' has to be kept secret, which 
would work against the generally accepted crypto principles.

M. K. Shen





Thread