| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <09FD0397-B564-43CF-89E6-F7B91F935195@taplink.co>
Date: Mon, 31 Mar 2014 09:08:35 -0700
From: Jeremy Spilman <jeremy@...link.co>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Cc: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [SPAM] [PHC] New password authentication protocol: Tabby PAKE
Hi Chris,
I really enjoyed a read through of your paper. I found it very easy to follow, and I'm looking forward to digging into the math, particular your use of Snowshoe Elligator.
One pet peeve of mine, which SRP does the exact same thing even in the RFC, but still...
From 2.3:
Off-line dictionary attack resistance: Passive and active attackers must not gain any knowledge that enables them to mount an exhaustive search for the password by interacting with the protocol.
The last 3 words indicate you mean offline attack from inspecting protocol messages. Can you please clarify this and in the same section please explain the properties of an offline attack against the validator database?
3.3.4 discusses offline dictionary attack where the validator database is known. But then 3.4.1 goes back to discuss dictionary attack resistance only in terms of protocol messages.
I don't want to minimize any advantages, but I think going to extra lengths to differentiate these two attack modes does a great service to the average user of the scheme.
Thanks for developing all this and sharing with us!
Content of type "text/html" skipped
Powered by blists - more mailing lists