[2149] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (Marcus Leech)
Sat Feb 21 19:37:16 1998
Date: Fri, 20 Feb 1998 23:15:15 +0100
From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
To: Mike Rosing <cryptech@Mcs.Net>
CC: cryptography@c2.net
Mike Rosing wrote:
> At one point I thought you could avoid computing H, but the
> entropy reduction is via the dictionary, not the bit pattern of
> x'. Thanks for reminding me :-)
>
In fact, it almost looks like the mistake was made that the construct:
x = H(s,P)
somehow increases the entropy of P. Hash functions cannot create entropy
that doesn't already exist, though they're useful in "distilling" diffuse
entropy into a more compact form.
>
> I hope he has a useful answer, but it seems to me that the off line
> guessing is still possible. I think there are other protocols which will
> accomplish the task with less risk, but the security is based on local
> computational power. With just a dumb terminal they won't work. Smart
> hand held security devices can be made pretty damn cheap tho, so the day
> will come when secure login is real.
>
> Everything can be attacked, all we can do is raise the price :-)
Certainly SRP cannot be made to execute in the dumb terminal arena--since
the "processor" is the user sitting at the terminal, or a hand-held
device. Since there are already plenty of viable solutions in this area,
it's not clear where SRP fits.
One could argue "oh, but SRP does key exchange AND authentication all in
one protocol". There exist protocols that do this already, using
well-analysed techniques, and likely with fewer exchanges.
