Re: No More Passwords In The Clear in HTTP!

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Ross, Phil W [BB]: "FYI - Unisys press release of 95 JAN 06"
• Previous message: lilley: "Re: The GIF format as intellectual property (fwd)"
• Maybe in reply to: Daniel W. Connolly: "No More Passwords In The Clear in HTTP!"
• Next in thread: Jon E. Mittelhauser: "Re: No More Passwords In The Clear in HTTP!"

Yikes! Jinks! I asked for a reference to s-key in my p.s.
Brian replies to other issues, but includes the address of
his home-page.

Dan wastes a little time surfing Brian's home-page, and subconsiously
follows these links...

http://www.hotwired.com/Staff/brian/
http://www.hotwired.com/Staff/brian/links.html
http://www.ccs.neu.edu/home/thigpen/index.html
http://www.ccs.neu.edu/home/thigpen/html/interests.html
http://www.ccs.neu.edu/home/thigpen/html/security.html

Which has a handy reference to the S/Key paper from bellcore:
http://www.ccs.neu.edu/home/thigpen/docs/security_papers/ISOC.symp.ps

After reading the S/Key paper, I think we should consider it in place
of the simple challenge/response system.

Advantages of S/Key:

* passwords are _not_ stored on the server side in clear
form.
* user can securely use the same password at different sites
* password can be changed without sending it over the net

Drawbacks:
* server-side passwd database is not read-only: server must
update the user's count of logins each time
* doesn't support the opaque="..." feature of the spyglass proposal

Dan

• Next message: Ross, Phil W [BB]: "FYI - Unisys press release of 95 JAN 06"
• Previous message: lilley: "Re: The GIF format as intellectual property (fwd)"
• Maybe in reply to: Daniel W. Connolly: "No More Passwords In The Clear in HTTP!"
• Next in thread: Jon E. Mittelhauser: "Re: No More Passwords In The Clear in HTTP!"