On Monday 25 March 2002 11:08, Stephen Kent wrote:
I'm glad you mentioned what I consider to be a significant downside
of pre-shared secrets, although we come to very different
conclusions. It is not too hard to imagine an attack in which the
initiator connects to the wrong address, e.g., via some form of DNS
attack, and the fake responder collects the initiator's secret, then
drops the connection.
I thought this authentication method is YEARS gone? A-la HTTP Basic
Authentication?
Isn't practically everybody today using some form of challenge-response
auth with pre-shared secrets? [real-life examples would be helpful.]
--