Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:03
David Jablon (dpj@world.std.com)
Thu, 14 Jan 1999 09:55:07 -0500
At 10:16 PM 1/13/99 -0800, James A. Donald wrote:
> [...] So all this great encryption is used to merely prove
> possession of a shared four digit secret. Oh wow!
Presuming sarcasm on your part, I disagree.
You've raised legitimate questions about when and
where PK encryption is necessary. Personally, I see
no greater purpose for PK encryption than to protect
personal and shared secrets, both large and tiny.
In fact, I'm glad to be able to spend a couple tenths of a
second to connect a little more securely to my bank or broker.
If this seems extravagant, others have even explained how
SSL session resumption can amortize this tiny cost over
multiple transactions.
Under reasonable assumptions, PK encryption is absolutely
essential. In order to protect a PIN code, or any small secret,
at least one PK exchange is needed to create a secure session.
The real security tradeoff to be made is in how long
session keys should be kept lying around on both machines.
There are of course many ways to verify a memorized secret,
either using an SSL channel to authenticate the machines,
or in other methods, using the small secret for more direct
person-to-machine authentication. Either way you've got
to spend a little compute time to get there.
-------------------------
David P. Jablon
Integrity Sciences, Inc.
dpj@world.std.com
<http://world.std.com/~dpj/>
+1 508 898 9024
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:03