> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Edward Ned Harvey (lopser) > > The client sent the > password to the KDC.
BTW, Kerberos is definitely not the problem I'm interested in addressing. The reason Kerberos came up in this thread was to suggest I look at it and see how they work (implying they already know how to do authentication without password exposure). I first looked into those details about 2 years ago, because I mistakenly believed Kerberos did exposureless authentication, and I thought we could use their stuff, or learn from them. Kerberos was a dead-end for us, but lots of zero-knowledge password proof (ZKPP) methods do exist, in particular, all the variants of PAKE. All of cbcrypt boils down to two sections: (a) address the salt exposure problem, and (b) prove knowledge of the derived salted stretched hash. PAKE could be used in part(b), instead of authenticating with ECDH or ECDSA, but since you're already inside a TLS channel and the server has the salted stretched hash, the benefit of not exposing the salted stretched hash inside the TLS channel is minimal. It's a nice fea ture, so we might adopt PAKE for part(b) in some future version of cbcrypt. Part(a) is new, no matter what. The salt exposure problem was never addressed by any of the variants of PAKE (none that I've found). _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
