Re: No More Passwords In The Clear in HTTP!

Daniel W. Connolly ([email protected])
Tue, 10 Jan 1995 02:27:02 +0100


In message <[email protected]>, Brian Behl
endorf writes:
> Brian
>
>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>[email protected] [email protected] http://www.hotwired.com/Staff/brian/

Yikes! Jinks! I asked for a reference to s-key in my p.s.
Brian replies to other issues, but includes the address of
his home-page.

Dan wastes a little time surfing Brian's home-page, and subconsiously
follows these links...

http://www.hotwired.com/Staff/brian/
http://www.hotwired.com/Staff/brian/links.html
http://www.ccs.neu.edu/home/thigpen/index.html
http://www.ccs.neu.edu/home/thigpen/html/interests.html
http://www.ccs.neu.edu/home/thigpen/html/security.html

Which has a handy reference to the S/Key paper from bellcore:
http://www.ccs.neu.edu/home/thigpen/docs/security_papers/ISOC.symp.ps

After reading the S/Key paper, I think we should consider it in place
of the simple challenge/response system.

Advantages of S/Key:

* passwords are _not_ stored on the server side in clear
form.
* user can securely use the same password at different sites
* password can be changed without sending it over the net

Drawbacks:
* server-side passwd database is not read-only: server must
update the user's count of logins each time
* doesn't support the opaque="..." feature of the spyglass proposal

Dan