Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:14:01
Mok-Kong Shen (mok-kong.shen@stud.uni-muenchen.de)
Tue, 22 Sep 1998 19:10:41 +0100
Bruce Schneier wrote:
>
> At 03:04 PM 9/22/98 +0100, Mok-Kong Shen wrote:
> >Bruce Schneier wrote:
> >>
> >> >I suppose you misunderstood me. I mean the 'mathematical magic'
> >> >cannot be made public. (Or is 'online protocol' = 'mathematical magic'?)
> >> >If the 'magic' is public then the attacker with the pool of passwords
> >> >could brute force offline.
> >>
> >> No. You misunderstood me. There is NOTHING secret except the key.
> >> The online protocol, mathematical magic, source code, algorithm details,
> >> and everything else can be made public. There are no secrets in the
> >> system except for the keys.
> >
> >In that case please allow me to go back to a point raised by me
> >previously. The user uses his 'remembered secret' (of fewer bits)
> >through a public algorithm (including protocol) to retrieve from a
> >pool the password (of more bits). If the attacker doesn't have the
> >pool then everything looks fine. But if he manages to get the pool
> >(a case someone mentioned in this thread) then he can obviously
> >brute force offline, I believe, since he possesses now everything
> >the legitimate user has, excepting the 'remembered secret'. Or is
> >there anything wrong with my logic?
>
> Yes. There is something wrong with you logic.
Please kindly explain. I like very much to learn from my errors.
Thank you very much in advance.
M. K. Shen
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:14:01