[Security] PGP (XEP-0027)

Dirk Meyer dmeyer at tzi.de
Wed Jun 3 03:37:36 CDT 2009


Justin Karneges wrote:
> Do offline dictionary attacks matter? (Not that I'm advocating PSK, as I think 
> that's an even more esoteric feature than SRP).  At one point, our aim was to 
> have an online SAS exchange using a small, throw-away password.  Dirk: has 
> this changed?

No. The password is only used to bootstrap the trust relationship. If
someone knows the password one hour later, it does not matter. But
offline dictionary attacks are still an issue: when using something like
SCRAM, the client in the role of the TLS server can create a dictionary
before the handshake and use this dictionary during the SCRAM handshake
to find the password. I do not remember the details, it has been a while
since I looked at it.


Dirk

-- 
Smith & Wesson: The original point and click interface.


More information about the Security mailing list