Re: Some SRP issues

To: Tom Wu <tom%arcot.com@localhost>
Subject: Re: Some SRP issues
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 20 Mar 2001 10:18:07 +0100

Tom Wu <tom%arcot.com@localhost> writes:

> Worst case, if the attacker feeds the client a "booby-trapped" safe
> prime that he can do fast DL in, then he can extract the client's secret
> "a".  He then sends some random string in place of B, gets the client's
> response hash, and then can run through a list of passwords, guessing
> possible passwords and checking them against the client's response.  The
> defense is to accept only known, safe parameters (like the Oakley/IPSec
> moduli) or at least allow only parameters that pass verification *and*
> are sufficiently long.

Thanks.

I don't feel terribly good about requiring the client to check that
some prime provided by the server is safe. So I'd prefer a hard coded
list (which can be expanded as time goes by).

/Niels

References:
- Some SRP issues
  - From: Niels Möller
- Re: Some SRP issues
  - From: Tom Wu
- Re: Some SRP issues
  - From: Niels Möller
- Re: Some SRP issues
  - From: Tom Wu

Prev by Date: Re: Some SRP issues
Next by Date: Re: issues
Previous by Thread: Re: Some SRP issues
Next by Thread: issues
Indexes:

Home | Main Index | Thread Index | Old Index