IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: GSS-API SRP mech (was Re: retrying keyex ...)



> I believe 
>
> http://www.ietf.org/internet-drafts/draft-burdis-cat-srp-sasl-08.txt
>
> Is an SRP SASL mechanism that also uses GSSAPI framing, perhaps this is
> enough (I haven't looked at it yet).

It appears that that by itself doesn't provide integrity protection,
and draft-ietf-secsh-gsskeyex says:

   The key exchange method described in section 1 of this document
   depends on the underlying GSSAPI mechanism to provide both mutual
   authentication and per-message integrity services.  If either of
   these features is not supported by a particular GSSAPI mechanism, or
   by a particular implementation of a GSSAPI mechanism, then the key
   exchange is not secure and MUST fail.

In theory, you can use that SASL mechanism with an intergrity
protection layer.  In practice, since it appears that the SASL SRP
mechanism basically does the things you want a Secure Shell key
exchange to accomplish, it may be better to define a new Secure Shell
key exchange algorithm to support SRP.

However, this is probably a mostly academic discussion at the moment,
due to IPR issues related to SRP.  Fortunately, patents do expire
eventually.






Home | Main Index | Thread Index | Old Index