IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Some SRP issues



"Niels Möller" wrote:
> 
> So what is a correct analysis of the case where the attacker tells the
> client to use a group of the attackers choice, and the attacker can
> compute logarithms?
> 
> The values that the attacker gets are
> 
>   e = g^a, from which a discrete log computation yields the users
>            secret dh value a.
> 
>   f = v + g^b, which doesn't yield anything obvious.

Worst case, if the attacker feeds the client a "booby-trapped" safe
prime that he can do fast DL in, then he can extract the client's secret
"a".  He then sends some random string in place of B, gets the client's
response hash, and then can run through a list of passwords, guessing
possible passwords and checking them against the client's response.  The
defense is to accept only known, safe parameters (like the Oakley/IPSec
moduli) or at least allow only parameters that pass verification *and*
are sufficiently long.

> /Niels

Tom
-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."



Home | Main Index | Thread Index | Old Index