Status of SRP
James A. Donald
jamesd at echeque.com
Thu Jun 1 01:41:50 EDT 2006
--
Ka-Ping Yee wrote:
> "Phishing" can mean a few different things. If by
> "phishing" you mean the stealing of passwords, then
> yes, SRP would help to eliminate that problem, but
> users could still be fooled into giving away their SRP
> passwords if the user interface for entering the
> password is convincingly imitated.
SRP necessarily runs in the chrome, in the client
software, not in the web page, therefore the chrome,
should put up an image that cannot be convincingly
imitated by html - for example, on windows, a non
rectangular login page, as with paradox's keygen, or as
with the infocard software, taking over the entire
screen, including covering the taskbar, which an html
page cannot do.
In order to imitate that, the attacker would need
control of the client machine
> I'm working on Passpet, a password management tool
> that tries to address several of the big
> phishing-related problems including password capture
> and dictionary attack, and for the authentication part
> i chose SRP. So that's one place it's getting used,
> anyway.
Cannot find a web page that presents passpet.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
ybM860Mr+CSlXrrR8xph9v0B91GQWJBI8SAGwuFs
4B8M3YBCebHr5lGeEDBz+TIrbMLygWsXUEGxXWNj5
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list