[Cfrg] 答复: Re: ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: Ha shed Password Exchange
zhou.sujing@zte.com.cn Mon, 13 February 2012 00:43 UTC
Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 458A221F8623 for <cfrg@ietfa.amsl.com>; Sun, 12 Feb 2012 16:43:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.859
X-Spam-Level:
X-Spam-Status: No, score=-96.859 tagged_above=-999 required=5 tests=[AWL=0.324, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_DOUBLE_IP_LOOSE=0.76, SARE_SUB_ENC_UTF8=0.152, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e77ciV0D3ho2 for <cfrg@ietfa.amsl.com>; Sun, 12 Feb 2012 16:43:14 -0800 (PST)
Received: from mx5.zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id ED5C321F8606 for <cfrg@irtf.org>; Sun, 12 Feb 2012 16:43:10 -0800 (PST)
Received: from [10.30.17.100] by mx5.zte.com.cn with surfront esmtp id 53829344249031; Mon, 13 Feb 2012 08:36:41 +0800 (CST)
Received: from [10.30.3.20] by [192.168.168.16] with StormMail ESMTP id 90429.412906327; Mon, 13 Feb 2012 08:43:06 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse01.zte.com.cn with ESMTP id q1D0h3nq030342; Mon, 13 Feb 2012 08:43:03 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <6776D5F8-33B2-4266-BB0B-696AB64F41B9@cs.columbia.edu>
To: Steven Bellovin <smb@cs.columbia.edu>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF0A6580C4.401C9E84-ON482579A3.00038590-482579A3.0003F27A@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Mon, 13 Feb 2012 08:43:03 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2012-02-13 08:43:04, Serialize complete at 2012-02-13 08:43:04
Content-Type: multipart/alternative; boundary="=_alternative 0003F27A482579A3_="
X-MAIL: mse01.zte.com.cn q1D0h3nq030342
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] 答复: Re: ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: Ha shed Password Exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 00:43:15 -0000
Regards~~~ -Sujing Zhou Steven Bellovin <smb@cs.columbia.edu> 写于 2012-02-13 08:37:08: > > On Feb 12, 2012, at 7:23 PM, zhou.sujing@zte.com.cn wrote: > > > > > Regards~~~ > > > > -Sujing Zhou > > > > Steven Bellovin <smb@cs.columbia.edu> 写于 2012-02-12 06:08:41: > > > > > > > > On Feb 9, 2012, at 7:35 PM, zhou.sujing@zte.com.cn wrote: > > > > > > > > > > > > > > > Steven Bellovin <smb@cs.columbia.edu> 写于 2012-02-09 20:32:07: > > > > > > > > > I dealt with that in my note: how do you deal with multiple devices? > > > > > > > > Just copy and paste to all the devices, or retrieve the required > > > long key from a USB key. > > > > It is seldom required to change, so it does not bring much > > > inconvenience, and just an option for users to choose. > > > > > > > Apart from the fact that I think that that's user-unfriendly, I > still don't > > > understand what problem you are trying to solve. > > > > To resolve the problem of people haveing almost the same passwords > saved in almost all the service providers, > > by combining a long secret keys and some easy-to-remmeber > passwords, with some sacrifice of user-friendliness. > > It is an option for people put security ahead of a liitle inconvenience. > > > > Because the hashing includes the the service provider, the same password on > different sites will hash to different values, solving that problem without > the inconvenience. Yes, I know your proposal and I understand it. I mean your proposal can have an extra option of hashing (long secret key||password||username||servive provider name) in case people are worry dictionary attack after passwords saved at the side of service provider are exposed, in other words, to add some entropy. > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > >
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Steven Bellovin
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Steven Bellovin
- [Cfrg] 答复: Re: ´ð¸´: Re: ´ð¸´: Re: [saag] New dra… zhou.sujing
- Re: [Cfrg] ´ð¸´: Re: ´ð¸´: Re: [saag] New draft: … Steven Bellovin