[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Closing on shared-key authentication

Tom,

Please read below your comments.

At 10:51 AM 10/11/96 -0700, you wrote:
>Marc VanHeyningen wrote:
>> 
>> > - The only security reason for including password auth in TLS is
>> >   that it gains stronger security by having access to strong crypto
>> >   in the export case.  I don't think we should include features this
>> >   major based solely on brain-damaged US export regulations that
>> >   will hopefully soon change.
>> 
>> Seems to me that's only if you assume the best way to secure password
>> auth is to just encrypt the password, as opposed to using other
>> more sophisticated methods.
>
>No, you should certainly do something more than just send the password
>encrypted.  You should avoid sending the password at all, encrypted or
>otherwise.  Some sort of challenge/response mechanism would be
>appropriate, but you are protected from eavesdroppers if you encrypt
>the data.

  I think that this is a good idea to incorporate in TLS, or at least provide
for that option in the protocol.
>
>> It also is true only if you're willing to accept authentication that
>> is dependent upon the security of the encryption; some people feel
>> this is undesrable for reasons having nothing to do with export
>> regulations.
>
>Do you suggest that the encryption (even 40-bit) is the weak link in
>this scheme?  I don't think so.  While there may be some advantages to
>be gained by moving the dependency up to the security of the key
>exchange from that of the bulk cipher, I don't think they outweigh the
>disadvantages.

  I just can't agree compleatly with you here Tom.  40 bit has already been
broken and can easly be broken again in about 2 seconds.  

Reguards,

>
>-- 
>You should only break rules of style if you can    | Tom Weinstein
>coherently explain what you gain by so doing.      | tomw@xxxxxxxxxxxx
>
>
>
Jeffrey A. Williams
SR.Internet Network Eng. 
CEO., IEG., INC.,  Representing PDS .Ltd.
Web: http://www.pds-link.com 
Phone: 214-793-7445 (Direct Line)
Director of Network Eng. and Development IEG. INC.