IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SRP unencumbered license statement



Mika Kojo wrote:
> 
> Tom Holroyd writes:
> > Not to mention that it provides strong authentication of both client *and*
> > server, even when the host key has changed or is unknown, and it doesn't
> > leak any information to eavesdroppers or MITM.  :-)
> >
> > So, SRP is ready to go.
> 
> The problem with SRP, when compared to some other password-AKE's, is
> that it doesn't provide a security proof in the standard
> models. Security proof would guarantee that negligible information
> leakage occurs when adversary is not capable of solving the decisional
> Diffie-Hellman problem or some such. If you have such a proof please
> supply a reference.

The only other password-based key exchange that has a security proof (in
the random oracle model) is PAK, and it's not free to my knowledge.  The
majority of the secure password protocols (EKE, SPEKE, etc.) fall into
the "unproven but unbroken" category.

> Best regards,
> Mika Kojo
> SSH Communications Security Corp

Tom
-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."



Home | Main Index | Thread Index | Old Index