Re: Some SRP issues

To: Tom Wu <tom%arcot.com@localhost>
Subject: Re: Some SRP issues
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 20 Mar 2001 00:22:59 +0100

Tom Wu <tom%arcot.com@localhost> writes:

> > But if the user's secret value x is constructed as
> > 
> >   x = HASH(s | H(n | p))

...

> I assume you're referring to a situation where a user is attempting to
> *set* his password remotely for the very first time on a server, since
> that is the only time one would ever send "v" over the network.

*blush* You're right, of course. It's half a year since I really
worked with SRP, and appearantly I'm forgetting important things about
it... No, I was not thinking about setting the password, only the key
exchange.

So what is a correct analysis of the case where the attacker tells the
client to use a group of the attackers choice, and the attacker can
compute logarithms?

The values that the attacker gets are

  e = g^a, from which a discrete log computation yields the users
           secret dh value a.

  f = v + g^b, which doesn't yield anything obvious.

So it seems fine. Is there anywhere I can read more about this
scenario?

/Niels

Follow-Ups:
- Re: Some SRP issues
  - From: Tom Wu

References:
- Some SRP issues
  - From: Niels Möller
- Re: Some SRP issues
  - From: Tom Wu

Prev by Date: Re: Some SRP issues
Next by Date: Re: Some SRP issues
Previous by Thread: Re: Some SRP issues
Next by Thread: Re: Some SRP issues
Indexes:

Home | Main Index | Thread Index | Old Index