Re: SRP unencumbered license statement

To: Tom Wu <tom%arcot.com@localhost>
Subject: Re: SRP unencumbered license statement
From: Mika Kojo <mkojo%ssh.com@localhost>
Date: Tue, 1 May 2001 23:09:24 +0300

Tom Wu writes:
> Mika Kojo wrote:
> > The problem with SRP, when compared to some other password-AKE's, is
> > that it doesn't provide a security proof in the standard
> > models. Security proof would guarantee that negligible information
> > leakage occurs when adversary is not capable of solving the decisional
> > Diffie-Hellman problem or some such. If you have such a proof please
> > supply a reference.
> 
> The only other password-based key exchange that has a security proof (in
> the random oracle model) is PAK, and it's not free to my knowledge.  The
> majority of the secure password protocols (EKE, SPEKE, etc.) fall into
> the "unproven but unbroken" category.

There is also one by Rogaway et al. and a recent one by Katz et
al. (and the latter seems to avoid random oracles). Perhaps the point
is that provable security could be a factor when selecting new
protocols, although not a decisive one (as for example random oracles
have been criticized recently).

This is not really SRP specific, the SSH2 key exchange scheme does not
have a proof of security either.

Best regards, 
Mika Kojo
SSH Communications Security Corp

Follow-Ups:
- SRP and proofs
  - From: David Jablon

References:
- Re: SRP unencumbered license statement available
  - From: RJ Atkinson
- Re: SRP unencumbered license statement
  - From: Tom Holroyd
- Re: SRP unencumbered license statement
  - From: Mika Kojo
- Re: SRP unencumbered license statement
  - From: Tom Wu

Prev by Date: Re: SRP unencumbered license statement
Next by Date: SRP and proofs
Previous by Thread: Re: SRP unencumbered license statement
Next by Thread: SRP and proofs
Indexes:

Home | Main Index | Thread Index | Old Index