[27108] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: Status of SRP

daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Jun 2 20:20:23 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 01 Jun 2006 10:20:08 -0400
From: Jeffrey Altman <jaltman@columbia.edu>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <447CD845.7000906@echeque.com>

This is a cryptographically signed message in MIME format.

--------------ms080905050205050405000108
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread deployment
> of SRP, but this does not seem to happening.  SASL-SRP was recently
> dropped.  What is the problem?

Unfortunately, SRP is not the solution to the phishing problem.
The phishing problem is made up of many subtle sub-problems involving
the ease of spoofing a web site and the challenges involved in securing
the enrollment and password change mechanisms.  SRP would allow a client
to know that a service is in fact the correct service when the
authentication succeeds.  However, it would not help in the situation
when the authentication fails.  This could be because the user is not
sure of what the password is or even sure which account name was being
used.

Solving the phishing problem requires changes on many levels:

(1) Some form of secure chrome for browsers must be deployed where
    the security either comes from a "trusted desktop" or by per-user
    customizations that significantly decrease the chances that the
    attacker can fake the web site experience.  (Prevent the attacker
    from replicating the browser frame, toolbars, lock icons,
    certificate dialogs, etc.)

(2) Reducing the number of accounts and passwords (or other identifiers)
    that end users need to remember.  With a separate identifier for
    each and every web site it is no surprise that my extended family
    can never remember what was used at each site.   Therefore, it is
    not much of a surprise when a site says that the authentication
    failed.

(3) Secure mechanisms must be developed for handling enrollment and
    password changing.

Only then can we truly address the phishing problem.

Jeffrey Altman

--------------ms080905050205050405000108
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJWTCC
AwcwggJwoAMCAQICEDgwMdSemBfcGd6HY5Q4qrwwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloX
DTA3MDUyNzIyMDMzMlowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRt
YW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmFluisw/
NLjjXSHm0kgAgAMBknaWpJyDQlTpyzSswiSaDWINyEUzM/teBosk003zfyQdPONkWzclBRZ+
oGsYsAgxmyRe9tAJD7Jo6xp/6kCuF5nnaIyz91gWyuYZEeqQrfyFnWIfQu3fuoSeEIMLc9ac
L9qhqnaTwCufH4v56CMftv6KFdf/k1CoLu/DL0ps5UOVwui+8iSWn3Qt6QfefDp9vbtBFPTV
nZ7wGeewUJrO1LEC+x3gAOW+KxUcZMBax7tVygT5hDaQXm5lxUrlMQ/hLeWpv7LkVPD/ytoJ
NCNzSnycrK4juG1CI12m5K1TNHZJ1uYjb7DUvMwOl6kQiQIDAQABozEwLzAfBgNVHREEGDAW
gRRqYWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GB
ACNK1Xef6H2YL02xqVthcdQgFuF0bENE1u7gX/hegF1awGERhaIJmKGWau4OiAeHnlFqWysP
EFzVrSb6L+TF9YHd/bP8WtxccOFnZ1L6oe7KOiyNfXGPZKj/i7Gti+MF4RM1ReZncTC1zMmZ
DbFkVhL92vSgDGl4+6IwzjmQVK3sMIIDBzCCAnCgAwIBAgIQODAx1J6YF9wZ3odjlDiqvDAN
BgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp
bmcgQ0EwHhcNMDYwNTI3MjIwMzMyWhcNMDcwNTI3MjIwMzMyWjBrMQ8wDQYDVQQEEwZBbHRt
YW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMTSmVmZnJleSBFcmljIEFsdG1h
bjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5lZHUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCYWW6KzD80uONdIebSSACAAwGSdpaknINCVOnLNKzCJJoNYg3I
RTMz+14GiyTTTfN/JB0842RbNyUFFn6gaxiwCDGbJF720AkPsmjrGn/qQK4XmedojLP3WBbK
5hkR6pCt/IWdYh9C7d+6hJ4Qgwtz1pwv2qGqdpPAK58fi/noIx+2/ooV1/+TUKgu78MvSmzl
Q5XC6L7yJJafdC3pB958On29u0EU9NWdnvAZ57BQms7UsQL7HeAA5b4rFRxkwFrHu1XKBPmE
NpBebmXFSuUxD+Et5am/suRU8P/K2gk0I3NKfJysriO4bUIjXabkrVM0dknW5iNvsNS8zA6X
qRCJAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAI0rVd5/ofZgvTbGpW2Fx1CAW4XRsQ0TW7uBf+F6A
XVrAYRGFogmYoZZq7g6IB4eeUWpbKw8QXNWtJvov5MX1gd39s/xa3Fxw4WdnUvqh7so6LI19
cY9kqP+Lsa2L4wXhEzVF5mdxMLXMyZkNsWRWEv3a9KAMaXj7ojDOOZBUrewwggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECEDgwMdSemBfcGd6HY5Q4qrwwCQYFKw4DAhoFAKCCAcMw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNjAxMTQyMDA4
WjAjBgkqhkiG9w0BCQQxFgQUP/ZaTV6tk9Mql5e/jFM7hcx2AG4wUgYJKoZIhvcNAQkPMUUw
QzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcw
DQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNV
BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhA4MDHUnpgX3Bneh2OUOKq8MIGHBgsqhkiG9w0B
CRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AhA4MDHUnpgX3Bneh2OUOKq8MA0GCSqGSIb3DQEBAQUABIIBAJPC0LpBRzkfK3Jmy2e2xjn6
5TfqC6OIO2NMo5ETbbE5+gcRv1LhuE+Veu/LVkSBE2Amq4Uz12U0w8gNpqrr54OG2F0JAo2F
ohFEOZsSXfjuquQS1EmwRfTZIezYMCVSvA3nkYYN/Upug7b6PX59Me1QK25e6LSqE+eXZac1
NNgZrjPNWm9bz8HcaDpvP9lACFvUAQ5rMPmlp2gG9FrygeKZXdd3cI74fXvw9jPh/auYOOyo
clM0GDJG+4oWoJ9aiJoUCULQI5ZgI8Xm+72SjZisloHgd4jRB9p2nQp8w3NA5L8G4AYrJsVz
4h11Xcf/h1HsuyoVY/9KzF/uhh56ZQcAAAAAAAA=
--------------ms080905050205050405000108--

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[27108] in cryptography@c2.net mail archive

Re: Status of SRP

daemon@ATHENA.MIT.EDU (Jeffrey Altman)Fri Jun 2 20:20:23 2006

daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Jun 2 20:20:23 2006
