[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ArcotSign (was Re: Does security depend on hardware?)




Bruce Schneier wrote:
> 
> >I suppose you misunderstood me. I mean the 'mathematical magic'
> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
> >If the 'magic' is public then the attacker with the pool of passwords
> >could brute force offline.
> 
> No.  You misunderstood me.  There is NOTHING secret except the key.
> The online protocol, mathematical magic, source code, algorithm details,
> and everything else can be made public.  There are no secrets in the
> system except for the keys.

In that case please allow me to go back to a point raised by me
previously. The user uses his 'remembered secret' (of fewer bits) 
through a public algorithm (including protocol) to retrieve from a 
pool the password (of more bits). If the attacker doesn't have the 
pool then everything looks fine. But if he manages to get the pool
(a case someone mentioned in this thread) then he can obviously
brute force offline, I believe, since he possesses now everything
the legitimate user has, excepting the 'remembered secret'. Or is
there anything wrong with my logic?

M. K. Shen