[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ArcotSign (was Re: Does security depend on hardware?)
Bruce Schneier wrote:
>> The advantages are that offline password guessing is impossible.
At 03:24 PM 9/22/98 +0100, Ben Laurie wrote:
> The 'I' word always makes me nervous - do you really mean that, or do
> you just mean "very difficult"?
Why be nervous? It's not that hard to prevent off-line
guessing of the PIN, given access to just the client's stored
data. Here "impossible" means "as hard as breaking your
favorite PK method".
Here are three ways of authenticating based on PIN + stored key
where the stored client data alone doesn't permit offline PIN
guessing. These methods are arguably better than using a
simplistic PIN-encrypted private key, if you're concerned
about the client spilling its data.
(1) Send the PIN separately, encrypted by the server's public key.
Don't encrypt the private key with the PIN. Make the server
verify both PIN and private key to permit a transaction.
(2) Use the PIN + stored data to derive the private key,
in a way such that any PIN will also generate a valid
private key.
(3) Verify the PIN (or PIN-derived key) using
password-authenticated key exchange.
Each of these approaches has other benefits and limitations.
>From the posted description, it sounds like Arcot is using (2),
where the PIN-encrypted data contains no verifiable plaintext.
-------------------------
David P. Jablon
[email protected]
<http://world.std.com/~dpj/>