[2162] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (EKR)
Mon Feb 23 19:46:37 1998
To: "James A. Donald" <jamesd@echeque.com>
Cc: Mike Rosing <cryptech@Mcs.Net>, Marc Horowitz <marc@cygnus.com>,
Marcus Leech <Marcus.Leech.mleech@nt.com>, cryptography@c2.net
From: EKR <ekr@terisa.com>
Date: 23 Feb 1998 15:24:30 -0800
In-Reply-To: "James A. Donald"'s message of Mon, 23 Feb 1998 13:31:30 -0800
"James A. Donald" <jamesd@echeque.com> writes:
> --
> At 09:40 AM 2/23/98 -0600, Mike Rosing wrote:
> > I agree with Marcus, SRP doesn't solve the login problem
> > any better than PKC can, assuming you use ECC. Training
> > people to login with pass phrases instead of pass words is
> > going to take a long time, but where it is really necessary
> > it will happen first.
>
> It is trivial to use ECC (or any log based public key
> system) to make login passwords invulnerable to sniffers or
> to dictionary attacks.
>
> The change password, or set password program generates a
> private key by hashing the password, and sends the
> corresponding public key to the server, encrypting it using
> DH.
This is only resistent to passive dictionary attack.
It's not, however, resistent to active dictionary attacks. The
attacker can man in the middle, which recovers the public key.
Then he can perform a dictionary attack. As I understand it,
one of the design goals of SRP, SPEKE, at all, is that they're
resistent to this attack as well.
-Ekr
--
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."
