[26992] in cryptography@c2.net mail archive
Re: Status of SRP
daemon@ATHENA.MIT.EDU (Lance James)
Thu Jun 1 10:09:44 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 30 May 2006 19:37:14 -0700
From: Lance James <lancej@securescience.net>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <447CD845.7000906@echeque.com>
James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening. SASL-SRP was
> recently dropped. What is the problem?
I disagree here, I don't think this will stop phishing for many reasons.
Please explain how it would. It will stop "man-in-the-middle" attacks on
the protocol, but phishers aren't attacking the protocols themselves.
It's still single-auth and I can still obtain the user password via
phishing. Please correct me if I'm wrong but phishing is before this
protocol will be accessed.
if Mallory convinces Carol to log into a spoofed site that looks like
Steve not running SRP, then u and x are obtained by Mallory. Mallory
simply logs into Steve with U and X.
In SRP what is preshared is g^x where x = H(s,p) where s is a salt and p
is the password.
p would be a weakness here because the user knows it, and in phishing,
if the user knows it, the user is vulnerable.
My 2 cents.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo@metzdowd.com
>
>
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://securescience.net/home/news/phishingexposed.html
**********************************************
* New IntelliFound Service 2 weeks free *
* Real-Time Identity Surveillance Service *
* http://www.securescience.net/ *
**********************************************
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
