Vin McLellan <vin(_at_)shore(_dot_)net> writes:
Pass phrases for cryptographic keys??? Simple static reusable
passwords??!
I beg your pardon for delurking at this late stage in the WG
discussions, but I was under the impression that the question of how to
resolve a cryptographicly strong key from a small password has been a
solved problem since the early 1990s, with the various ancestors of Bellovin
& Merritt's DH-EKE family, including Dave Jablon's SPEKE, Tom Wu's SRP-3,
and a slew of others: Augmented EKE, Mike Roe's S3P series, Stefan Lucks's
OKE, etc., etc.
AFAIK, all of these techniques are interactive. Certainly EKE, SPEKE,
AEKE and SRP are. S/MIME is nearly always used in a store-and-forward
context and therefore any technique used for this purpose must
be noninteractive.
Suggesting a password-based S/MIME which does not take advantage of any
of the well-documented and proven methods for safely expanding a small
password into a cryptographically respectable key sounds like the WG is
proposing something like 40-bit symmetric crypto as a future standard. Are
the IP issues so entangled that the WG is left with such a meager and
embarrassingly fragile offering?
I don't believe that IP is the issue. Rather, I'm not aware of any
techniques that are substantially superior to the one described
here.
That's not to say that this technique is satisfactory, merely
that if you want to use a password as the basis for an encryption
key in S/MIME it's pretty much you only alternative.
-Ekr
--
[Eric Rescorla ekr(_at_)rtfm(_dot_)com]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/