>"paul a. bauerschmidt" wrote:
>> one password will decrypt correctly, many other passwords will produce
>> alternate, valid-looking keys to fool an attacker.
>>
>> is this an example of security through obscurity (a thought which many
>> frown upon, it seems)?
At 05:12 PM 10/8/99 -0700, Ed Gerck wrote:
>
>No, it is IMO a valid example of security through ambiguity.
One time pads rely on the same general idea taken to its extreme: any
decryption is as plausible as any other. I've always thought this is the
essence of a good password encryption scheme: try to eliminate the internal
cues that indicate whether the result is valid or not. That way the
attacker can only verify a decryption by using it in a genuine
authentication transaction. If the decryption is wrong, the attempt gets
logged, leaving a trace of the attempt.
Rick.
[EMAIL PROTECTED]
"Internet Cryptography" at http://www.visi.com/crypto/
