1998-09-22 - Re: ArcotSign (was Re: Does security depend on hardware?)

Header Data

From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
To: Bruce Schneier <schneier@counterpane.com>
Message Hash: 0b50252a04de1b448868a42412c36f4fcf11435cdb175c0eba7f353f70714bf0
Message ID: <3607A04E.BE164E44@stud.uni-muenchen.de>
Reply To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
UTC Datetime: 1998-09-22 00:25:45 UTC
Raw Date: Tue, 22 Sep 1998 08:25:45 +0800

Raw message

From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Date: Tue, 22 Sep 1998 08:25:45 +0800
To: Bruce Schneier <schneier@counterpane.com>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
Message-ID: <3607A04E.BE164E44@stud.uni-muenchen.de>
MIME-Version: 1.0
Content-Type: text/plain



Bruce Schneier wrote:
> 
> >I suppose you misunderstood me. I mean the 'mathematical magic'
> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
> >If the 'magic' is public then the attacker with the pool of passwords
> >could brute force offline.
> 
> No.  You misunderstood me.  There is NOTHING secret except the key.
> The online protocol, mathematical magic, source code, algorithm details,
> and everything else can be made public.  There are no secrets in the
> system except for the keys.

In that case please allow me to go back to a point raised by me
previously. The user uses his 'remembered secret' (of fewer bits) 
through a public algorithm (including protocol) to retrieve from a 
pool the password (of more bits). If the attacker doesn't have the 
pool then everything looks fine. But if he manages to get the pool
(a case someone mentioned in this thread) then he can obviously
brute force offline, I believe, since he possesses now everything
the legitimate user has, excepting the 'remembered secret'. Or is
there anything wrong with my logic?

M. K. Shen

Thread

• Return to September 1998

• Return to “Adam Shostack <adam@homeport.org>”
• Return to “Ben Laurie <ben@algroup.co.uk>”
• Return to ““Bernardo B. Terrado” <bbt@mudspring.uplb.edu.ph>”
• Return to “bram <bram@gawth.com>”
• Return to “Bruce Schneier <schneier@counterpane.com>”
• Return to “David Jablon <dpj@world.std.com>”
• Return to “Douglas Hoover <doug@arcot.com>”
• Return to ““Kriston J. Rehberg” <kriston@ibm.net>”
• Return to “Lucky Green <shamrock@cypherpunks.to>”
• Return to “Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>”
• Return to “Petro <petro@playboy.com>”
• Return to “proff@iq.org”
• Return to “Ryan Lackey <rdl@MIT.EDU>”
• Return to “Tim May <tcmay@got.net>”

• Return to ““Todd S. Glassey” <TSGman@earthlink.net>”

• Unknown thread root
  • 1998-09-19 (Sat, 19 Sep 1998 15:37:04 +0800) - ArcotSign (was Re: Does security depend on hardware?) - Ryan Lackey <rdl@MIT.EDU>
    • 1998-09-20 (Sun, 20 Sep 1998 11:43:59 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Lucky Green <shamrock@cypherpunks.to>
      • 1998-09-20 (Mon, 21 Sep 1998 05:28:19 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
        • 1998-09-21 (Mon, 21 Sep 1998 10:47:42 +0800) - RE: ArcotSign (was Re: Does security depend on hardware?) - “Todd S. Glassey” <TSGman@earthlink.net>
        • 1998-09-21 (Mon, 21 Sep 1998 11:55:38 +0800) - RE: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
        • 1998-09-21 (Mon, 21 Sep 1998 15:15:04 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - bram <bram@gawth.com>
          • 1998-09-21 (Tue, 22 Sep 1998 01:59:00 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 04:47:56 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
            • 1998-09-22 (Tue, 22 Sep 1998 23:42:35 +0800) - what is… - “Bernardo B. Terrado” <bbt@mudspring.uplb.edu.ph>
          • 1998-09-21 (Tue, 22 Sep 1998 06:06:11 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 06:26:50 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:18:24 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 07:21:19 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:26:46 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
            • 1998-09-22 (Tue, 22 Sep 1998 10:03:42 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Petro <petro@playboy.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:42:36 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-21 (Tue, 22 Sep 1998 07:45:43 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-21 (Tue, 22 Sep 1998 07:48:11 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-22 (Tue, 22 Sep 1998 08:25:45 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-22 (Tue, 22 Sep 1998 09:24:22 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Ben Laurie <ben@algroup.co.uk>
          • 1998-09-22 (Tue, 22 Sep 1998 12:01:33 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
            • 1998-09-22 (Tue, 22 Sep 1998 12:38:31 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - proff@iq.org
            • 1998-09-22 (Tue, 22 Sep 1998 16:43:28 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-22 (Tue, 22 Sep 1998 12:02:21 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
          • 1998-09-22 (Tue, 22 Sep 1998 22:50:41 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - David Jablon <dpj@world.std.com>
          • 1998-09-22 (Wed, 23 Sep 1998 01:23:05 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
          • 1998-09-22 (Wed, 23 Sep 1998 01:37:38 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - “Kriston J. Rehberg” <kriston@ibm.net>
          • 1998-09-22 (Wed, 23 Sep 1998 02:11:14 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Tim May <tcmay@got.net>
          • 1998-09-22 (Wed, 23 Sep 1998 03:59:58 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Ben Laurie <ben@algroup.co.uk>
          • 1998-09-22 (Wed, 23 Sep 1998 07:08:47 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
            • 1998-09-23 (Wed, 23 Sep 1998 13:10:16 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - bram <bram@gawth.com>
        • 1998-09-21 (Mon, 21 Sep 1998 16:30:36 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Bruce Schneier <schneier@counterpane.com>
        • 1998-09-21 (Mon, 21 Sep 1998 19:56:02 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Douglas Hoover <doug@arcot.com>
    • 1998-09-20 (Mon, 21 Sep 1998 05:25:42 +0800) - Re: ArcotSign (was Re: Does security depend on hardware?) - Adam Shostack <adam@homeport.org>