[2155] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (EKR)
Mon Feb 23 11:21:24 1998
To: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
Cc: cryptography@c2.net
From: EKR <ekr@terisa.com>
Date: 23 Feb 1998 07:59:08 -0800
In-Reply-To: "Marcus Leech"'s message of Sun, 22 Feb 1998 13:58:40 +0100
"Marcus Leech" <Marcus.Leech.mleech@nt.com> writes:
> EKR wrote:
> >
> > As I understand it the point of SRP is to provide an authenticated
> > key exchange where the method of authentication is a simple password,
> > but which isn't susceptible to dictionary attacks, even in the
> > face of an active attack.
> >
> > Now, I haven't really analyzed it so I can't say if it accomplishes
> > this goal or not. Nor, for that amtter, am I convinced that this is
> > a worthwhile engineering goal to shoot for, but I think that is
> > the position that SRP is supposed to occupy.
> >
> Actually, Eric, if you read all of the splashy stuff on the SRP
> home page, you come away with the impression that SRP is supposed
> to replace all of modern cryptographic authentication.
I agree that it the web page give this impression. I think that
this seriously overstates it's usefulness.
> My position is this: if you're going to design a protocol that has
> all the drawbacks of public-key cryptography (ie: speed, complexity, etc),
> then you might as well "do" public-key cryptography.
As I understand it, SRP is supposed to serve more or less the
same purpose as EKE: leverage an existing password infrastructure
to provide an authentication system that is secure against the
known attacks on passwords. This might be a worthwhile goal
under some circumstances where certificates aren't available.
> Given that a dictionary attack *is* possible with SRP, assuming that
> the attacker has captured at least one 'v' value, then it doesn't
> even accomplish that goal very effectively.
If you're right, I'd agree that this is a serious problem.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."
