Hi David David Wilson wrote:
On Wed, 2009-09-23 at 16:44 -0400, Kemp, David P. wrote:David's table indicates that "encrypting" (salted hashing) requires some knowledge in the DUA for option 2, and I don't claim that standardizing a method and implementing the standard is trivial. But in principle the salt would have to be based on either invariant data about the DSA (e.g. DNS name/port) entered/configured by the user and needed to connect, or remembered/typed by the user after being randomly generated by the DUA. Storing it in a DUA-maintained registry/address book would inhibit user mobility, and storing user-specific salt on the DSA would require an extra message. If the connection protocol includes a DSA-to-DUA message before the DUA-initiated BIND, that message could include a DSA ID from which salt could be derived.The core problem with this kind of thing is that the salt (or nonce) is fixed. Which means that the same 'encrypted' password is passed in protocol each time, since the value passed in protocol is compared directly with the stored value. So, transport confidentiality needs to be used to protect the value passed, otherwise the same value can be used by an attacker for this server. (If the attacker is the administrator, then they don't even need to capture the protocol, they have access to the credentials required).
correct. This is why we think this method has little utility and is not recommended. In fact it is little different from the user simply having a longer password
David
Also, any salt really should be randomly generated for each password. If you have a fixed value for a server, then two users with the same password would have the same hashed value. regards David ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.
-- ------------------------------------------------------------- The Israeli group Breaking the Silence has just released a collection of testimonies by Israeli soldiers that took part in the Gaza attack lastDecember and January. The testimonies expose significant gaps between the official stances of the Israeli military and events on the ground.
See http://www.shovrimshtika.org/news_item_e.asp?id=30 The Israeli government defies Obama, and continues its settlement expansionIsrael plans to allocate $250 million over the next two years for settlements
http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698 whilst simultaneously continuing to bulldoze Palestinian homes http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357 ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 ***************************************************************** ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.