Tom Lane dijo:
> It occurs to me that we could make this work if we had a hash algorithm
> that was commutative, in the sense that
[...]
> MD5 is not commutative in this sense, and it might be that any hash
> algorithm that is could not be cryptographically strong. But we could
> look around and see what's out there...
Here http://www.research.att.com/~smb/papers/aeke.pdf the authors
describe something like the scheme you are looking for. They even talk
about "commutative hash functions" and how they help to protect against
"dictionary attacks and password file compromise". However, they
mention that "at present, we do not know of any family of commutative
one-way functions that satisfy the protocol requirements, while hiding
sufficient information".
They also talk about asymmetric encryption and describe a protocol for
key exchange using hashed passwords and some kind of public/private key
pair.
Maybe the paper sheds some light on the discussion.
--
Alvaro Herrera (<alvherre[a]atentus.com>)
"La conclusion que podemos sacar de esos estudios es que
no podemos sacar ninguna conclusion de ellos" (Tanenbaum)