Status of SRP
Lance James
lancej at securescience.net
Tue May 30 22:37:14 EDT 2006
James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening. SASL-SRP was
> recently dropped. What is the problem?
I disagree here, I don't think this will stop phishing for many reasons.
Please explain how it would. It will stop "man-in-the-middle" attacks on
the protocol, but phishers aren't attacking the protocols themselves.
It's still single-auth and I can still obtain the user password via
phishing. Please correct me if I'm wrong but phishing is before this
protocol will be accessed.
if Mallory convinces Carol to log into a spoofed site that looks like
Steve not running SRP, then u and x are obtained by Mallory. Mallory
simply logs into Steve with U and X.
In SRP what is preshared is g^x where x = H(s,p) where s is a salt and p
is the password.
p would be a weakness here because the user knows it, and in phishing,
if the user knows it, the user is vulnerable.
My 2 cents.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at metzdowd.com
>
>
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://securescience.net/home/news/phishingexposed.html
**********************************************
* New IntelliFound Service 2 weeks free *
* Real-Time Identity Surveillance Service *
* http://www.securescience.net/ *
**********************************************
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list