Two more thoughts about credentials download protocols

[Radia Perlman - Boston Center for Networking <Radia.Perlman@xxxxxxxxxxxx>]

First thought: A correction to what I presented at the sacred WG:

Tom Wu pointed out to me afterwards that the same trick we used in PDM of having
the server store B, for each user, and reusing the same B in
order to save an exponentiation, works also for SRP, if you were
to use SRP for credentials download (but not for use for mutual
authentication). He's right about that, so SRP therefore requires
an expensive exponentiation and a 32-bit exponent exponentiation,
whereas PDM requires 1. With the same size modulus, this makes
them comparable, since a 32-bit exponentiation is negligible.

However, since PDM can almost certainly be
sufficiently secure with smaller moduli, then the server computation
is still significantly less with PDM than with any scheme that has
a well-known p.

And SRP is still a 4-message protocol, whereas PDM can be 2.

*******************
The second thought is about the issue someone brought up about how if
you get out of sync with typing name and password, you could wind up
sending your password over the wire in the clear. Charlie suggested
a low-tech fix to that, which is that the password be required to
contain a character which is illegal in a name. For instance, if
"=" isn't legal in a name, and the user's
password is "mypassword", the user could be required to type ==mypassword.
And this might make a good user interface for putting in a hint. If
the hint is, say, "J", then the user could either type
=J=mypassword (which includes the hint), or ==mypassword (no hint)

Radia