Re: Salt (was: ICSA certifies weak crypto as secure)

1999-06-15 Thread Bill Frantz
At 8:26 AM -0700 6/4/99, Arnold G. Reinhold wrote: >At 9:18 AM +1000 6/2/99, Greg Rose wrote: >>(IMHO the design decision that would most profitably have changed was the >>limitation to 8 character passwords, not the salt. > >I agree with you here, though as Steve Bellovin pointed out, hashing had

ZK password proofs [Re: ICSA certifies weak crypto as secure]

1999-06-08 Thread David Jablon
As ??? correctly wrote: >>You can't use a hashed password for challenge/response, >>The fundamental problem is that users pick bad passwords and passphrases ... Bill Stewart responded: >Yup. I like S/Key better than the annoying Se[***]ID card I use to >log in to work, or public-key challen

Re: ICSA certifies weak crypto as secure

1999-06-07 Thread Bill Stewart
The important points were >Btw -- large password files using anything like this scheme are obsolescent. >You can't use a hashed password for challenge/response, >The fundamental problem is that users pick bad passwords and passphrases ... Yup. I like S/Key better than the annoying SecureID

Re: Salt (was: ICSA certifies weak crypto as secure)

1999-06-04 Thread Arnold G. Reinhold
At 9:18 AM +1000 6/2/99, Greg Rose wrote: >At 16:38 1/06/99 -0400, it was written: [by Arnold Reinhold] ... >> >>I would argue that UNIX is an excellent object lesson for John's point. 12 >>bits was a bad design decision, even in the 70's. > >I take exception to this last statement. The design (of

Re: ICSA certifies weak crypto as secure

1999-06-02 Thread John Kelsey
-BEGIN PGP SIGNED MESSAGE- [ To: Steve, Arnold ## Cc: Perry's Crypto List ## Date: 06/01/99 ## Subject: Re: ICSA certifies weak crypto as secure ] >To: "Arnold G. Reinhold" <[EMAIL PROTECTED]> >Cc: John Kelsey <[EMAIL PROTECTED]>, [EMAIL PROTEC

Re: ICSA certifies weak crypto as secure

1999-06-02 Thread Arnold G. Reinhold
At 10:20 PM -0400 6/1/99, Steven M. Bellovin wrote: >In message , "Arnold G. Reinhold" >writes >: > >> >> It is also desirable to be able to increase the memory footprint of your >> key stretcher as well its iteration count. > >That's far from clear. More or

Re: ICSA certifies weak crypto as secure

1999-06-02 Thread John Gilmore
John Kelsey said, in a list of what people do wrong in crypto: > e. In exportable systems, you have to use the salt > correctly. If you just use a 40-bit key, you end up > vulnerable to various kinds of precomputation attack. > > f. In exportable systems, you have to separate the keys > used f

Salt (was: ICSA certifies weak crypto as secure)

1999-06-02 Thread Greg Rose
At 16:38 1/06/99 -0400, it was written: >At 11:48 AM -0400 6/1/99, Steven M. Bellovin replied to John Kelsey ><[EMAIL PROTECTED]> message: >>Why 32 bits? Salts are good, and often cheap, but I'm curious what your >>rationale is. Traditionally, a salt serves two purposes: to increase the >>expe

Re: ICSA certifies weak crypto as secure

1999-06-02 Thread Anonymous
In message , "Arnold G. Reinhold" writes : > > It is also desirable to be able to increase the memory footprint of your > key stretcher as well its iteration count. That's far from clear. More or less any reasonable factor is dwarfed by the rapid expansio

Re: ICSA certifies weak crypto as secure

1999-06-01 Thread Arnold G. Reinhold
At 11:48 AM -0400 6/1/99, Steven M. Bellovin replied to John Kelsey <[EMAIL PROTECTED]> message: >> >> a. Make the passphrase hash expensive. There are lots of >> ways to do this. Users shouldn't mind a half-second delay >> for hashing their passphrase, but this will make dictionary >> attacks

Re: ICSA certifies weak crypto as secure

1999-06-01 Thread Steven M. Bellovin
> > a. Make the passphrase hash expensive. There are lots of > ways to do this. Users shouldn't mind a half-second delay > for hashing their passphrase, but this will make dictionary > attacks much harder to mount. Right, though of course Moore's Law will tend to erode this over time if it's

Re: ICSA certifies weak crypto as secure

1999-06-01 Thread John Kelsey
-BEGIN PGP SIGNED MESSAGE- [ To: Perry's Crypto List, Arnold Reinhold ## Date:05/28/99 ## Subject: Re: ICSA certifies weak crypto as secure ] >Date: Fri, 28 May 1999 11:42:03 -0400 >From: "Arnold G. Reinhold" <[EMAIL PROTECTED]> >Subject: Re: ICSA certif

Re: ICSA certifies weak crypto as secure

1999-05-28 Thread David Jablon
At 11:42 AM 5/28/99 -0400, Arnold G. Reinhold presented his "top 10" common bad security practices. Generally good advice, but I've pulled #3 for amendment: > 3. Use of short passwords or weak passphrases to protect private keys or, > worse, using them to generate symmetric keys. Bad passphrase

Re: ICSA certifies weak crypto as secure

1999-05-28 Thread Eric Murray
On Fri, May 28, 1999 at 11:42:03AM -0400, Arnold G. Reinhold wrote: > At 1:36 PM -0400 5/27/99, Kawika Daguio wrote: > What I would like to know from you is whether you and others have been > able to construct a "duh" list of typical, but unacceptable current > practices that can easily be remedi

Re: ICSA certifies weak crypto as secure

1999-05-28 Thread Arnold G. Reinhold
At 1:36 PM -0400 5/27/99, Kawika Daguio wrote: What I would like to know from you is whether you and others have been able to construct a "duh" list of typical, but unacceptable current practices that can easily be remediated. Here are my top 10 candidates for a "duh" list: 1. Keys that are too