[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ArcotSign (was Re: Does security depend on hardware?)

To: Bruce Schneier <[email protected]>
Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
From: Mok-Kong Shen <[email protected]>
Date: Tue, 22 Sep 1998 19:10:41 +0100
CC: [email protected], [email protected], [email protected]
Organization: Studenten; LRZ; Universitaet Muenchen
References: <Pine.LNX.3.96.980921133001.20069A-100000@blackbox> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>
Sender: [email protected]


Bruce Schneier wrote:
> 
> At 03:04 PM 9/22/98 +0100, Mok-Kong Shen wrote:
> >Bruce Schneier wrote:
> >>
> >> >I suppose you misunderstood me. I mean the 'mathematical magic'
> >> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
> >> >If the 'magic' is public then the attacker with the pool of passwords
> >> >could brute force offline.
> >>
> >> No.  You misunderstood me.  There is NOTHING secret except the key.
> >> The online protocol, mathematical magic, source code, algorithm details,
> >> and everything else can be made public.  There are no secrets in the
> >> system except for the keys.
> >
> >In that case please allow me to go back to a point raised by me
> >previously. The user uses his 'remembered secret' (of fewer bits)
> >through a public algorithm (including protocol) to retrieve from a
> >pool the password (of more bits). If the attacker doesn't have the
> >pool then everything looks fine. But if he manages to get the pool
> >(a case someone mentioned in this thread) then he can obviously
> >brute force offline, I believe, since he possesses now everything
> >the legitimate user has, excepting the 'remembered secret'. Or is
> >there anything wrong with my logic?
> 
> Yes.  There is something wrong with you logic.

Please kindly explain. I like very much to learn from my errors.
Thank you very much in advance.

M. K. Shen

Follow-Ups:
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: "Kriston J. Rehberg" <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>

References:
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: bram <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>
- Re: ArcotSign (was Re: Does security depend on hardware?)
  - From: Bruce Schneier <[email protected]>

Prev by Date: CTIA Daily News from WOW-COM - September 22, 1998
Next by Date: Re: This is a listed crime?
Prev by thread: Re: ArcotSign (was Re: Does security depend on hardware?)
Next by thread: Re: ArcotSign (was Re: Does security depend on hardware?)
Index(es):
- Date
- Thread