[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ArcotSign (was Re: Does security depend on hardware?)




Bruce Schneier wrote:
> 
> At 03:04 PM 9/22/98 +0100, Mok-Kong Shen wrote:
> >Bruce Schneier wrote:
> >>
> >> >I suppose you misunderstood me. I mean the 'mathematical magic'
> >> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
> >> >If the 'magic' is public then the attacker with the pool of passwords
> >> >could brute force offline.
> >>
> >> No.  You misunderstood me.  There is NOTHING secret except the key.
> >> The online protocol, mathematical magic, source code, algorithm details,
> >> and everything else can be made public.  There are no secrets in the
> >> system except for the keys.
> >
> >In that case please allow me to go back to a point raised by me
> >previously. The user uses his 'remembered secret' (of fewer bits)
> >through a public algorithm (including protocol) to retrieve from a
> >pool the password (of more bits). If the attacker doesn't have the
> >pool then everything looks fine. But if he manages to get the pool
> >(a case someone mentioned in this thread) then he can obviously
> >brute force offline, I believe, since he possesses now everything
> >the legitimate user has, excepting the 'remembered secret'. Or is
> >there anything wrong with my logic?
> 
> Yes.  There is something wrong with you logic.

Please kindly explain. I like very much to learn from my errors.
Thank you very much in advance.

M. K. Shen