Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL and Yahoo to Offer Filter Circumvention

Posted by Zonk on from the thank-you-for-thinking-of-me dept.

tiltowait wrote to mention a report on MSNBC's site stating that AOL and Yahoo are both planning to introduce a for-pay way to circumvent their spam filters. From the article: "The fees, which would range from 1/4 cent to 1 cent per e-mail, are the latest attempts by the companies to weed out unsolicited ads, commonly called spam, and identity-theft scams. In exchange for paying, e-mail senders will be guaranteed their messages won't be filtered and will bear a seal alerting recipients they're legitimate."

1 of 264 comments (clear)

  1. Password encryption: both intransit and instorage by Antisoftpat+Fairy · · Score: 0, Offtopic
    One problem which exists in most password encryption schemes is that you either need to transmit passwords in the clear (or using a reversible encryption scheme), or you need to store them in the clear (or using a reversible encryption scheme).

    While transmitting the passwords in a reversible encryption scheme protects against third party eavesdroppers, it does not protect against rogue servers.

    Traditional Unix passwords are stored using an irreversible encryption scheme, but must be transmitted from client to server in the clear (or using a reversible scheme).

    Samba and CHAP passwords are transmitted using an irreversible encryption scheme, but must be stored in the clear, which makes them vulnerable to compromise of the password data base.

    Now, I've found a method which allows to have it both ways:

    • passwords may be stored with an irreversible scheme.
    • transmission is done using a challenge-response system which does not reveal password or password-equivalent hashes
    The method is a variant of Diffie Hellman key exchange, relying on the difficulty of calculation a discrete logarithm. Let p be the pasword, g a generator and Q a large safe prime. g and Q are constants in the algorithms.
    • Passwords are stored as g^p mod Q
    • When authenticating a client, the server picks a secret k, only known to itself. It transmits C=g^k to the client as a challenge.
    • The client calculates R=C^p, which is equal to g^pk
    • Upon receipt, the server strips k by raising the client's response to the 1/k th power: g^p = R^(1/k)
    • Finally it compares g^p against the stored hash g^p
    Benefits: The server cannot the client to another server authenticating against the same password base, because at no time it knows p. Even if the server machine is compromised, passwords are still safe, even if unwitting clients logged in during the compromise.

    This post was brought to you by the antisoftpat fairy. If, several years from now, you use this as prior art to bust an obnoxious software patent, please chant three times "de Juncker as ee Kallef, a gehéiert oofesaat!" as a thank you gesture for the fairy ;-)