From: frantz@netcom.com (Bill Frantz)
Date: Thu, 4 Jul 1996 07:14:50 +0800
To: minow@apple.com (Martin Minow)
Subject: Re: SAFE Forum--some comments
Message-ID: <199607031912.MAA08980@netcom8.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 08:44 PM 7/2/96 -0700, Martin Minow wrote:

>It's not quite that bad. Here are a few (more or less strong) crypto
>products you might not know you have:
>
>1. Every Macintosh made since at least 1988 has a secure authentication
>   client module in the AppleShare Chooser dialog. When you use it to
>   connect to a remote server, it notes that the user information
>   is "two-way scrambled." (The server sends a random number challenge
>   that the client uses to encrypt the username and password. The
>   encrypted information is sent to the server.) All Macintosh systems
>   running System 7 or later have the corresponding server software.
>   What is interesting about this is that the encryption is completely
>   invisible to the user.

I hear this as the server sends out a key which the client uses to encrypt
the username/password.  This algorithm makes less sense than the one I
thought I heard at the SAFE forum on Monday which was:

(1) The server sends out a challenge/salt (different each time)
(2) The client uses a secure hash to compute hash(salt||password) and
returns the username and the hash.
(3) The server computes hash(salt||password) and compares the hashes.

Given that there is still some interest in algorithms and protocols on this
list, can you describe what is really happening?

Thanks - Bill


-------------------------------------------------------------------------
Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA