[2153] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (Marcus Leech)
Mon Feb 23 00:17:00 1998
Date: Sun, 22 Feb 1998 13:58:40 +0100
From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
To: EKR <ekr@terisa.com>
CC: cryptography@c2.net
EKR wrote:
>
> As I understand it the point of SRP is to provide an authenticated
> key exchange where the method of authentication is a simple password,
> but which isn't susceptible to dictionary attacks, even in the
> face of an active attack.
>
> Now, I haven't really analyzed it so I can't say if it accomplishes
> this goal or not. Nor, for that amtter, am I convinced that this is
> a worthwhile engineering goal to shoot for, but I think that is
> the position that SRP is supposed to occupy.
>
Actually, Eric, if you read all of the splashy stuff on the SRP
home page, you come away with the impression that SRP is supposed
to replace all of modern cryptographic authentication.
My position is this: if you're going to design a protocol that has
all the drawbacks of public-key cryptography (ie: speed, complexity, etc),
then you might as well "do" public-key cryptography.
Given that a dictionary attack *is* possible with SRP, assuming that
the attacker has captured at least one 'v' value, then it doesn't
even accomplish that goal very effectively.
