>James A. Donald:
>The problem is that I assume that people find each other's IP and transient
>public key through the server. I also assume the user's computer is
>insecure, the user is ignorant and careless about security and the user may
>change computers from time to time. Thus his public key has to be
>transitory. Thus the server can mount a man in the middle attack.
Are you assuming that the user's computer is fast, but the user is dumb,
or are you assuming that the user's computer is also limited, e.g. a smart
card?
If the problem is just the user choosing a wimpy passphrase,
but the user's machine is fast and has some entropy available,
have the user's machine generate a random key and combine with the passphrase,
using your favorite hash, and store the generated key in some manner
that can be accessed by a user who knows the passphrase, e.g. 3DES(genkey,
hash(pass)).
That way, the server hasn't contributed anything it can use in an attack.
Alternatively, if there's no better entropy source, you could also have the
user's machine ask the server for some random bits, and then hash them up
with whatever else is available (if nothing else, the message it's trying
to send),
though that lets an eavesdropper do the dictionary attack on G**(hash(p,bits))
which is at least slow.
If you want the public key to be always reproducable from the passphrase,
which is one of the modes I liked in Crypto Kong, this may not be usable,
but I'm assuming you're trying to do something different.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
