ietf-smime
[Top] [All Lists]

Re: Password-based Encryption for S/MIME...

1999-11-17 21:11:06
At 05:23 PM 11/17/99 -0500, Carlisle Adams wrote:

2) The Security Considerations section currently contains only the following
sentence:  "The security of this recipient information type rests on the
security of the underlying mechanisms employed, for which further
information can be found in CMS and PKCS5v2."  I suggest adding a new
paragraph along the following lines.

"More importantly, however, the security of this information type rests on
the entropy of the user-selected password, which is typically quite low.
Pass phrases (as opposed to simple passwords) are STRONGLY RECOMMENDED,
although it should be recognized that even with pass phrases it will be
difficult to use this recipient information type to derive a KEK with
sufficient entropy to properly protect a 128-bit (or higher) CEK."

    Pass phrases for cryptographic keys???  Simple static reusable passwords??!

    I beg your pardon for delurking at this late stage in the WG
discussions, but I was under the impression that the question of how to
resolve a cryptographicly strong key from a small password has been a
solved problem since the early 1990s, with the various ancestors of Bellovin
& Merritt's DH-EKE family, including Dave Jablon's SPEKE,  Tom Wu's SRP-3,
and a slew of others: Augmented EKE, Mike Roe's S3P series, Stefan Lucks's
OKE, etc., etc. 

   Jablon's firm, IntegritySciences, -- which I believe recently license
SPEKE to Entrust -- has a fullsome page of references and live URLs for the
relevant work at: <http://www.IntegritySciences.com/links.html#PK99>

    Suggesting a password-based S/MIME which does not take advantage of any
of the well-documented and proven methods for safely expanding a small
password into a cryptographically respectable key  sounds like the WG is
proposing something like 40-bit  symmetric crypto as a future standard.  Are
the IP issues so entangled that the WG is left with such a meager and
embarrassingly fragile offering?