Hal Finney wrote: > The recommended technique I've seen for this (I think David Wagner > suggested it on sci.crypt years ago) is to use a MAC: > > key = MAC (password, keyname) > > The security property of a MAC is that you can get as many messages MAC'd > as you want, and you won't be able to guess a MAC on any new messages. > That's exactly what you want here, that an attacker can learn keys when he > knows or chooses keynames, but be unable to guess any keys for any other > keynames. It's a good fit to the security requirements for your problem.
as previously noted ... financial industry has had a standard for derived key for some time. a variation on this is the interative hash for one-time password (except the keyname became the server specific "salt" and there was added value for the number of hash iterations) ... the claim was that it was targeted for an end-user could walk up to an open environment w/o anything other than their passphrase ... and be able to logon. various MITM attacks against the server were examined ... however there wasn't equal examination of MITM attacks against the end-user (i.e. providing a count of one to the end-user ... so that attacker then can reproduce all subsequent hash iteration values) ... misc. past postings http://www.garlic.com/~lynn/2003n.html#1 public key vs passwd authentication? http://www.garlic.com/~lynn/2003n.html#2 public key vs passwd authentication? http://www.garlic.com/~lynn/2003n.html#3 public key vs passwd authentication? http://www.garlic.com/~lynn/2005i.html#50 XOR passphrase with a constant --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]