[cryptography] can the German government read PGP and ssh traffic?

Joe St Sauver joe at oregon.uoregon.edu
Sat Jun 2 09:15:21 EDT 2012


ianG asked:

#Would it be possible to describe in general words what LOA-1 thru 4 entails?

I hesitate to try to do so. The definitive answer can be found in 
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
and includes many subtle and important points, but just to focus solely
on the password/token requirement and vastly oversimplify things (ignoring
LOTS of other stuff that DOES really matter):

-- LOA-1: a password such that an attacker with no a priori knowledge of
the password will succeed in an in-band password guessing attack 1 in
1024 times (weak password auth)

-- LOA-2: as LOA-2, except 1 in 16,384 (stronger password auth)

-- LOA-3: requires multifactor auth (soft tokens are acceptable for this)

-- LOA-4: requires multifactor auth using a hard token (arguably, hard to
   do LOA-4 at scale with anything other than smart cards/PKI USB hard 
   tokens)

But truly, a couple of paragraphs cannot do justice to the 64 pages of 
NIST 800-63, and I'd urge you to refer to it directly if interested in
this topic.

Regards,

Joe



More information about the cryptography mailing list