12. Strong Password Protocols

12.1. Introduction

Suppose a user, Alice, wants to use any workstation to log into a server, Bob. Assume she has nothing but a password with which to authenticate herself. Assume the workstation has no user-specific configuration, such as the user's trusted CAs, or the user's private key. Also assume that the software on the workstation is trustworthy. There are various ways Alice might use a password to authenticate herself to server Bob:

  • Transmit it over the wire, in the clear. This leaves Alice's password vulnerable to discovery by an eavesdropper, or someone impersonating Bob.
  • Do an anonymous Diffie-Hellman exchange to establish a secret key and an encrypted tunnel, and send the password over that encrypted ...

Get Network Security: Private Communication in a Public World, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.