IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SRP unencumbered license statement
Tom Wu writes:
> Mika Kojo wrote:
> > The problem with SRP, when compared to some other password-AKE's, is
> > that it doesn't provide a security proof in the standard
> > models. Security proof would guarantee that negligible information
> > leakage occurs when adversary is not capable of solving the decisional
> > Diffie-Hellman problem or some such. If you have such a proof please
> > supply a reference.
>
> The only other password-based key exchange that has a security proof (in
> the random oracle model) is PAK, and it's not free to my knowledge. The
> majority of the secure password protocols (EKE, SPEKE, etc.) fall into
> the "unproven but unbroken" category.
There is also one by Rogaway et al. and a recent one by Katz et
al. (and the latter seems to avoid random oracles). Perhaps the point
is that provable security could be a factor when selecting new
protocols, although not a decisive one (as for example random oracles
have been criticized recently).
This is not really SRP specific, the SSH2 key exchange scheme does not
have a proof of security either.
Best regards,
Mika Kojo
SSH Communications Security Corp
Home |
Main Index |
Thread Index |
Old Index