[cryptography] can the German government read PGP and ssh traffic?

ianG iang at iang.org
Tue Jun 5 20:07:45 EDT 2012


Thanks for that, that is all that is needed to get the idea.  (I was 
hoping for some objective standard rather than a current-technology 
taxonomy.)

iang


On 2/06/12 23:15 PM, Joe St Sauver wrote:
> ianG asked:
>
> #Would it be possible to describe in general words what LOA-1 thru 4 entails?
>
> I hesitate to try to do so. The definitive answer can be found in
> http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
> and includes many subtle and important points, but just to focus solely
> on the password/token requirement and vastly oversimplify things (ignoring
> LOTS of other stuff that DOES really matter):
>
> -- LOA-1: a password such that an attacker with no a priori knowledge of
> the password will succeed in an in-band password guessing attack 1 in
> 1024 times (weak password auth)
>
> -- LOA-2: as LOA-2, except 1 in 16,384 (stronger password auth)
>
> -- LOA-3: requires multifactor auth (soft tokens are acceptable for this)
>
> -- LOA-4: requires multifactor auth using a hard token (arguably, hard to
>     do LOA-4 at scale with anything other than smart cards/PKI USB hard
>     tokens)
>
> But truly, a couple of paragraphs cannot do justice to the 64 pages of
> NIST 800-63, and I'd urge you to refer to it directly if interested in
> this topic.
>
> Regards,
>
> Joe




More information about the cryptography mailing list