[2145] in cryptography@c2.net mail archive
More on SRP
daemon@ATHENA.MIT.EDU (Marcus Leech)
Fri Feb 20 13:42:49 1998
From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
To: cryptography@c2.net
Date: Fri, 20 Feb 1998 09:29:12 -0500 (EST)
To quote from draft-wu-srp-auth-01.txt:
Many existing mechanisms also require the password database on the
host to be kept secret because the password P or some private hash
h(P) is stored there and would compromise security if revealed.
That approach often degenerates into "security through obscurity"
and goes against the UNIX convention of keeping a "public" password
file whose contents can be revealed without destroying system security.
Since v must be kept secret, I cannot see how this is different from
"existing mechanisms also require the password database on the host
to be kept secret".
Also, quoting from the draft
Trusted key servers
and certificate infrastructures are not required, and clients are
not required to store or manage any long-term keys. SRP offers
both security and deployment advantages over existing challenge-
response techniques, making it an ideal drop-in replacement where
secure password authentication is needed.
Yes, but servers are definitely required to keep and maintain long-term secrets.
This scheme suffers from the N**2 problem common to all shared-secret
schemes.
In attempting to avoid, for example, RSA/DSA signatures, the protocol
requires at least as much computation, and certainly as many, if not
more exchanges than, for example, ISAKMP/OAKLEY.
It certainly isn't something that can "just plug in to existing password
mechanisms". Several exchanges are required, many of which use
large integers on the wire--not something that is conveniently represented in
user-speak, in the way that, for example, OTP exchanges can be.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M86, MS 012, FITZ
Systems Security Architect Phone: (ESN) 393-9145 +1 613 763 9145
Messaging and Security Infrastructure Fax: (ESN) 395-1407 +1 613 765 1407
Nortel Technology mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------
