Re: No More Passwords In The Clear in HTTP!

Michael A. Dolan (miked@cts.com)
Tue, 10 Jan 1995 20:11:15 +0100


At 01:03 AM 1/10/95 +0100, Daniel W. Connolly wrote:
>
>p.s. I hear s-key is another simple technology that eliminates the
>need to send passwords in the clear. But for the life of me, I can't
>find a technical description of it. Is there an RFC that I just can't
>find? Could somebody send me a pointer?

<A HREF="ftp://thumper.bellcore.com/pub/nmh">S/Key Source</a>

I also have a hardcopy of a white paper from Neil M. Haller at Bellcore that
describes S/Key. It is clever and worthy of consideration. It may be
available electronically at the above site somewhere.

One problem with this and the Spyglass schemes is that the password must
be passed once via some other means, and, in the case of S/Key, each time the
password expires. S/Key seems to have been designed to solve the problem
of the remote person who wishes to login to a home site over
questionable comm links, but otherwise has some secure means of setting
and changing passwords at the home facility.

Mike
-----------------------------------------------
Michael A. Dolan <mailto:miked@cerf.net>
TerraByte Technology (619) 445-9070, FAX -8864
PO Box 1673, Alpine, CA 91903-1673