[2142] in cryptography@c2.net mail archive
Re: SRP
daemon@ATHENA.MIT.EDU (Sidney Markowitz)
Fri Feb 20 00:20:46 1998
From: "Sidney Markowitz" <sidney@communities.com>
To: <cryptography@c2.net>
Date: Thu, 19 Feb 1998 18:59:05 -0800
Marcus Leech <Marcus.Leech.mleech@nt.com> said:
>Is it just me, or is it possible for Carol to be duped into transacting
>transacting with a Steve impersonator, since the salt is exchanged
>in public
There was a typo in the URL. http://srp.stanford.edu/srp/ is the home page,
and that has the correct links to both Postscript and HTML versions of the
paper.
The salt, s, is exchanged in public, but the verifier, v, is a shared
secret.
Step 8 computes a function of the session key, K, which is in turn a
function of either v (the way Steve computes it) or Carol's password hashed
with the salt (the way Carol computes it). Knowing just the salt is not
enough to compute K.
Knowing the salt and the verifier is enough to allow someone to impersonate
Steve. The verifier is supposed to be kept secret.
This simplification of the full protocol eliminates verifying Steve's
identity, as mentioned in the paragraph preceding Table 4. If you want to
verify Steve's identity, you have him use a password too, and then even
knowing v,s isn't enough to impersonate Steve to Carol. The benefit that
this paper claims for the simplified protocol is that Carol can verify her
identity to Steve without Steve (or someone who compromises him) having
enough information to impersonate her to someone else.
-- sidney markowitz <sidney@communities.com>
Electric Communities
