[2154] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Mon Feb 23 00:44:01 1998
To: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
Cc: EKR <ekr@terisa.com>, cryptography@c2.net
From: Marc Horowitz <marc@cygnus.com>
Date: 23 Feb 1998 00:33:34 -0500
In-Reply-To: "Marcus Leech"'s message of Sun, 22 Feb 1998 13:58:40 +0100
"Marcus Leech" <Marcus.Leech.mleech@nt.com> writes:
>> My position is this: if you're going to design a protocol that has
>> all the drawbacks of public-key cryptography (ie: speed, complexity, etc),
>> then you might as well "do" public-key cryptography.
SRP does not have one of the significant drawbacks of PKC: you don't
need to store and distribute (possibly encrypted) private keys. I see
SRP as something I might use to augment the AS phase of Kerberos, like
I might use EKE (which also does exponentiation). The KDC needs to be
secure anyway, the user can't tell what kinit is doing, and an
attacker can't do an active attack on snooped Tickets.
>> Given that a dictionary attack *is* possible with SRP, assuming that
>> the attacker has captured at least one 'v' value, then it doesn't
>> even accomplish that goal very effectively.
With kerberos, if the attacker managed to get v from the kdc, he
probably got krbtgt/REALM, too, and kerberos is screwed.
Marc
