Re: Some SRP issues

To: Niels Möller <nisse%lysator.liu.se@localhost>
Subject: Re: Some SRP issues
From: Tom Wu <tom%arcot.com@localhost>
Date: Mon, 19 Mar 2001 19:19:36 -0800

"Niels Möller" wrote:
> 
> So what is a correct analysis of the case where the attacker tells the
> client to use a group of the attackers choice, and the attacker can
> compute logarithms?
> 
> The values that the attacker gets are
> 
>   e = g^a, from which a discrete log computation yields the users
>            secret dh value a.
> 
>   f = v + g^b, which doesn't yield anything obvious.

Worst case, if the attacker feeds the client a "booby-trapped" safe
prime that he can do fast DL in, then he can extract the client's secret
"a".  He then sends some random string in place of B, gets the client's
response hash, and then can run through a list of passwords, guessing
possible passwords and checking them against the client's response.  The
defense is to accept only known, safe parameters (like the Oakley/IPSec
moduli) or at least allow only parameters that pass verification *and*
are sufficiently long.

> /Niels

Tom
-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."

Follow-Ups:
- Re: Some SRP issues
  - From: Niels Möller

References:
- Some SRP issues
  - From: Niels Möller
- Re: Some SRP issues
  - From: Tom Wu
- Re: Some SRP issues
  - From: Niels Möller

Prev by Date: Re: Some SRP issues
Next by Date: Re: Some SRP issues
Previous by Thread: Re: Some SRP issues
Next by Thread: Re: Some SRP issues
Indexes:

Home | Main Index | Thread Index | Old Index