This is a repeat of a response I made on Slashdot; do not adjust your set. I'm just running around trying to counter some of the misconceptions that this series of articles might create...
I'm sorry, but for the main part it seems like interpreting Bruce Schneier's motto "Security is a process, not a product" to
mean that therefore all products are insecure and we should panic. It's hardly news that these products don't drop into place
and create perfect security. No measure is perfect; what's wonderful is that when you use these measures, it gives an
attacker headaches like greater expense and difficulty and a better chance of being caught, and that's what computer
security is really all about.
Now I think there's a lot to be said for articles that detail the ways someone might try and mount attacks that circumvent the
protection offered by these measures, so that you know how to gain the most protection from them, but presenting it in the
form of alarmism about sensible security precautions is irresponsible.
Also, there's at least one important error in this article: Unlike SRP, B-SPEKE et al, Kerberos is not a ZKP password
protocol. The Kerberos password protocol, IIRC, is a "weak" password protocol that allows offline dictionary attacks where
no extra authentication information exists at the client end. Seifreid interviewed the creator of SRP last year (sorry, can't find
URL just now), but I'm not sure he "gets it" about why SRP and friends are so great.
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]