Re: question on campus computer security

Peter Gutmann (pgut001@cs.auckland.ac.nz)
Wed, 20 May 1998 23:58:44 (NZST)

• Next message: David Jablon: "re: question on campus computer security"
• Previous message: Greg Noel: "re: question on campus computer security"
• In reply to: David Jablon: "re: question on campus computer security"
• Next in thread: David Jablon: "Re: question on campus computer security"
• Reply: David Jablon: "Re: question on campus computer security"

>Here are some ways to prevent eavesdropper dictionary attacks on passwords:
>
>(1) use one of the SPEKE or EKE-style protocols,
>(2) use PK encryption with certificates or pre-distributed stored keys, or
>(3) use challenge/response or Kerberos and force *all* passwords to be chosen
>with a method that guarantees large entropy.
>
>Some tradeoffs are:
>
>(3) is distasteful to users, (2) requires stored public keys or certificates
>and provides less direct protection for the password, and (1) hasn't been
>built into many applications ... yet.
 
Another tradeoff is that there are patent problems with some of the above
solutions. How much of the EKE-style protocol field is restricted by patents?
Isn't most of the field pretty much a lost cause?

Peter.

• Next message: David Jablon: "re: question on campus computer security"
• Previous message: Greg Noel: "re: question on campus computer security"
• In reply to: David Jablon: "re: question on campus computer security"
• Next in thread: David Jablon: "Re: question on campus computer security"
• Reply: David Jablon: "Re: question on campus computer security"