From: Bruce Schneier <schneier@counterpane.com>
To: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Message Hash: 4c02d3bd79bda4dc5e1e381f7704ea1d43a783aab60016daf97edf5b810bf45a
Message ID: <4.0.2.19980922114142.00956610@mail.visi.com>
Reply To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
UTC Datetime: 1998-09-22 04:01:33 UTC
Raw Date: Tue, 22 Sep 1998 12:01:33 +0800
From: Bruce Schneier <schneier@counterpane.com>
Date: Tue, 22 Sep 1998 12:01:33 +0800
To: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
Message-ID: <4.0.2.19980922114142.00956610@mail.visi.com>
MIME-Version: 1.0
Content-Type: text/plain
At 03:04 PM 9/22/98 +0100, Mok-Kong Shen wrote:
>Bruce Schneier wrote:
>>
>> >I suppose you misunderstood me. I mean the 'mathematical magic'
>> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
>> >If the 'magic' is public then the attacker with the pool of passwords
>> >could brute force offline.
>>
>> No. You misunderstood me. There is NOTHING secret except the key.
>> The online protocol, mathematical magic, source code, algorithm details,
>> and everything else can be made public. There are no secrets in the
>> system except for the keys.
>
>In that case please allow me to go back to a point raised by me
>previously. The user uses his 'remembered secret' (of fewer bits)
>through a public algorithm (including protocol) to retrieve from a
>pool the password (of more bits). If the attacker doesn't have the
>pool then everything looks fine. But if he manages to get the pool
>(a case someone mentioned in this thread) then he can obviously
>brute force offline, I believe, since he possesses now everything
>the legitimate user has, excepting the 'remembered secret'. Or is
>there anything wrong with my logic?
Yes. There is something wrong with you logic.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
Return to September 1998
Return to ““Todd S. Glassey” <TSGman@earthlink.net>”