[2199] in cryptography@c2.net mail archive
Re: More on SRP
daemon@ATHENA.MIT.EDU (David Jablon)
Thu Feb 26 10:48:44 1998
Date: Thu, 26 Feb 1998 08:06:34 -0500
To: EKR <ekr@terisa.com>, "James A. Donald" <jamesd@echeque.com>
From: David Jablon <dpj@world.std.com>
Cc: Mike Rosing <cryptech@Mcs.Net>, Marc Horowitz <marc@cygnus.com>,
Marcus Leech <Marcus.Leech.mleech@nt.com>, cryptography@c2.net
In-Reply-To: <3ogzxgb0x.fsf@kmac.terisa.com>
The preceding discussion of SRP seems to miss the point.
SRP-3, like B-SPEKE, A-EKE and related methods, is not
an *alternative* to PKC. It is just a specially enhanced
form of PKC which solves more problems with low-entropy keys
than other PK alternatives.
EKE and SPEKE are key amplifiers, which use a common
shared secret on both sides. SRP-3, B-SPEKE, and A-EKE can
be thought of as extended PK methods that incorporate key
amplification, to protect in the case of an (un)expectedly
low entropy private key.
In some cases, these methods can also eliminate the need
for a certificate-based PKI.
At 09:40 AM 2/23/98 -0600, Mike Rosing wrote:
>> > I agree with Marcus, SRP doesn't solve the login problem
>> > any better than PKC can, assuming you use ECC. Training
>> > people to login with pass phrases instead of pass words is
>> > going to take a long time, but where it is really necessary
>> > it will happen first.
I disagree. ECC groups don't solve the login problem any better
than the more familiar number groups. ECC merely provides
a more efficient calculation.
Further, it is naive to presume that training is the solution.
People have basic limitations with handling large entropy
numbers. SRP, SPEKE, etc. are designed to compensate, at least
partially, for our human limitations.
In reply, "James A. Donald" <jamesd@echeque.com> writes:
>> It is trivial to use ECC (or any log based public key
>> system) to make login passwords invulnerable to sniffers or
>> to dictionary attacks.
>>
>> The change password, or set password program generates a
>> private key by hashing the password, and sends the
>> corresponding public key to the server, encrypting it using
>> DH.
Maybe it's not so trivial. As EKR correctly points out:
>This is only resistent to passive dictionary attack.
>
>It's not, however, resistent to active dictionary attacks. The
>attacker can man in the middle, which recovers the public key.
>Then he can perform a dictionary attack. As I understand it,
>one of the design goals of SRP, SPEKE, at all, is that they're
>resistent to this attack as well.
Perhaps some of this discussion has been motivated by Marcus
Leech's reaction to exuberant claims on Tom Wu's web page.
Regardless of Tom's presentation, these methods have many uses.
For an alternate discussion of these tricks, see the pages at
<http://world.std.com/~dpj>.
------------------------------------
David Jablon
Integrity Sciences, Inc.
dpj@world.std.com
<http://world.std.com/~dpj/>
