In message <[EMAIL PROTECTED]>, Paul C
rowley writes:
>Rick Smith <[EMAIL PROTECTED]> writes:
>> If you can control the risk of off-line attacks (i.e. theft of the password
>> file) then attackers are stuck performing on-line attacks. The system under
>> attack can usually detect on-line attacks and take countermeasures to
>> reduce the risk of a successful penetration.
>>
>> A related strategy is to combine the simple secret with a larger, more
>> random secret. But this provides better security only if you can keep
>> attackers from stealing the larger secret. One approach is to embed the
>> larger secret inside a tamper resistant device like a smart card, and set
>> up a protocol that doesn't allow the secret to leak out. But there's still
>> the challenge of protecting the copy of the secret stored on the server.
>
>The SRP authors (http://srp.stanford.edu/) suggest that SRP can be
>enhanced such that the server knows neither secret, only a verifier
>for the secrets. This means you have to extract the secret from the
>smartcard itself.
Mike Merritt and I described such a mechanism in our A-EKE paper,
http://www.research.att.com/~smb/papers/aeke.ps (or .pdf), several
years earlier. Briefly, use a DSA public key as the shared secret for
EKE (http://www.research.att.com/~smb/papers/neke.ps or .pdf), then
send an additional message from the client that uses the private key to
sign a random value, perhaps the negotiated key.
>
--Steve Bellovin
