[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ArcotSign (was Re: Does security depend on hardware?)

To: Bruce Schneier <[email protected]>, Mok-Kong Shen <[email protected]>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
From: Petro <[email protected]>
Date: Tue, 22 Sep 1998 09:58:54 -0500
Cc: [email protected], [email protected], [email protected]
In-Reply-To: <[email protected]>
References: <[email protected]><Pine.LNX.3.96.980921133001.20069A-100000@blackbox><[email protected]><[email protected]><[email protected]>
Sender: [email protected]


At 7:39 AM -0500 9/22/98, Bruce Schneier wrote:
>At 02:28 PM 9/22/98 +0100, Mok-Kong Shen wrote:
>>Bruce Schneier wrote:
>>>
>>> At 02:20 PM 9/22/98 +0100, Mok-Kong Shen wrote:
>>
>>> >If the 'mathematical magic' is not to be kept secret (as in principle
>>> >shouldn't for all crypto algorithms) then presumably one could
>>> >attack through brute forcing the 'remembered secrect', I guess.
>>>
>>> Yes, but only through an on-line protocol.   And if the server has some
>>> kind of "turn the user off after ten bad password guesses," then the
>>> atack doesn't work.
>>
>>I remember someone wrote of the case where the attacker got the
>>file with the millions of passwords. Then if he also knows the
>>'mathematical magic' he could presumably do offline work. So I
>>suppose that the 'mathematical magic' has to be kept secret, which
>>would work against the generally accepted crypto principles.
>
>No.  The online protocol can be public.  Nothing has to be kept secret
>in order for this to work.  That would be stupid; we all know that.

	Also, that things are kept secret/unpublished NOW doesn't mean that
they won't be released when the product ships.

	Not knowing anything about this company, they may have seen a novel
way to put existing tools/methods together, and are doing Q/A, interface,
and marketing work, and don't want to publicize their methods _yet_ because
they COULD be beat to market by a product that has less
documentation/Testing/etc.

	If they seem willing to release the algorythm, and essential parts
of the source code, they might have at least a bit of a clue, if Mr.
Schneier is willing to bet reputation capital on it, I'd be hesitant to cry
"Snake oil". At least the first time.

--
[email protected] work related issues. I don't speak for Playboy.
[email protected] everthing else.      They wouldn't like that.
                                              They REALLY
Economic speech IS political speech.          wouldn't like that.

References:
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Mok-Kong Shen <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: bram <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>

Prev by Date: CHALLENGE response (fwd)
Next by Date: CHALLENGE response (fwd)
Prev by thread: Re: ArcotSign (was Re: Does security depend on hardware?)
Next by thread: Re: ArcotSign (was Re: Does security depend on hardware?)
Index(es):
- Date
- Thread