[cryptography] Oddity in common bcrypt implementation
marsh at extendedsubset.com
Tue Jun 28 13:07:12 EDT 2011
On 06/28/2011 10:25 AM, Nico Williams wrote:
> But doesn't the AAA server get the password in the clear?
Not in cases like MS-CHAPv2. Most shops seem to "require" the use of it,
having thrown out classic RADIUS "PAP" along with MS-CHAPv1.
> If so the server can make it right.
Define 'right' when the guy on the other end of the wire was written
with an older, underspecified version of the spec. Or even with the
> It's protocols that use PBKDFs on clients
> that get into trouble (think of DIGEST-MD5, SCRAM, Kerberos, any
More information about the cryptography