From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
To: Bruce Schneier <schneier@counterpane.com>
Message Hash: bb709bf6ffd197c42821d181738097e2aa9ab7260b3798f3186bdf115ede4b95
Message ID: <3607DA11.6250C39A@stud.uni-muenchen.de>
Reply To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
UTC Datetime: 1998-09-22 17:23:05 UTC
Raw Date: Wed, 23 Sep 1998 01:23:05 +0800
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
Date: Wed, 23 Sep 1998 01:23:05 +0800
To: Bruce Schneier <schneier@counterpane.com>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox>
Message-ID: <3607DA11.6250C39A@stud.uni-muenchen.de>
MIME-Version: 1.0
Content-Type: text/plain
Bruce Schneier wrote:
>
> At 03:04 PM 9/22/98 +0100, Mok-Kong Shen wrote:
> >Bruce Schneier wrote:
> >>
> >> >I suppose you misunderstood me. I mean the 'mathematical magic'
> >> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
> >> >If the 'magic' is public then the attacker with the pool of passwords
> >> >could brute force offline.
> >>
> >> No. You misunderstood me. There is NOTHING secret except the key.
> >> The online protocol, mathematical magic, source code, algorithm details,
> >> and everything else can be made public. There are no secrets in the
> >> system except for the keys.
> >
> >In that case please allow me to go back to a point raised by me
> >previously. The user uses his 'remembered secret' (of fewer bits)
> >through a public algorithm (including protocol) to retrieve from a
> >pool the password (of more bits). If the attacker doesn't have the
> >pool then everything looks fine. But if he manages to get the pool
> >(a case someone mentioned in this thread) then he can obviously
> >brute force offline, I believe, since he possesses now everything
> >the legitimate user has, excepting the 'remembered secret'. Or is
> >there anything wrong with my logic?
>
> Yes. There is something wrong with you logic.
Please kindly explain. I like very much to learn from my errors.
Thank you very much in advance.
M. K. Shen
Return to September 1998
Return to ““Todd S. Glassey” <TSGman@earthlink.net>”