lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Mar 13 23:02:30 2006
From: tim-security at sentinelchicken.org (Tim)
Subject: HTTP AUTH BASIC monowall.

> Although something else may have been intended by using the phrase
> "password-authenticated key agreement", lets not forget that's all PKI is -
> key agreement based on verifying a password.
> At the server end, the site admins password is verified e.g. for SSL servers
> At the client, if you're lucky, the user chose a hard to crack password.

Hmm... Your terminology is sounding a bit off.  Passwords are symmetric
keys.  PKI stands for Public Key Infrastructure.  I think what you mean
here is that the server's public key (contained in the certificate) is
verified based on a provided signature/challenge generated by the
server's private key, and by signatures of "trusted" certificate
authorities, along with a whole host of other things.  Sure the site
admins may protect their private key with a password, but even if they
don't, it has nothing to do with the PKI.

As for the client side, they usually use passwords, but they may also
use client-side certificates in SSL with no password at all.

> That, and the access controls on each ndpoint is all that authenticates any
> PKI-based schema.

True, if you are worried about local attackers at the endpoint.  These
access controls are usually permissions in conjunction with a symmetric
key (password).

tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ