12. Strong Password Protocols
12.1. Introduction
Suppose a user, Alice, wants to use any workstation to log into a server, Bob. Assume she has nothing but a password with which to authenticate herself. Assume the workstation has no user-specific configuration, such as the user's trusted CAs, or the user's private key. Also assume that the software on the workstation is trustworthy. There are various ways Alice might use a password to authenticate herself to server Bob:
- Transmit it over the wire, in the clear. This leaves Alice's password vulnerable to discovery by an eavesdropper, or someone impersonating Bob.
- Do an anonymous Diffie-Hellman exchange to establish a secret key and an encrypted tunnel, and send the password over that encrypted ...
Get Network Security: Private Communication in a Public World, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.