Problems with the SRP Protocol paper?

Jonathan Herzog jherzog at jonathanherzog.com
Sun Feb 17 16:02:27 EST 2008 

Greetings--

A new list-member here, so please forgive me if this is off-topic or  
has been discussed before. However, I've recently discovered a  
problem with the proof of security for the Secure Remote Password  
(SRP) Protocol, and Ivan Krstic recommended that I ask about it here.

In particular: The SRP protocol is a password-based authenticated key- 
exchange protocol that has been recently added to the TLS standard  
[RFC 5054] and the IEEE standard P1363.2. It is based on Diffie- 
Hellman, and claims to have all sorts of security properties.  
However, the original paper on the protocol [Wu, 1997] is somewhat  
unsatisfying from a mathematical viewpoint. First, it fails to  
rigorously define the properties the protocol is to meet, and gives  
only English-language intuitions. Secondly, it sometimes fails to  
argue that the protocol meets even those intuitions. Lastly, some of  
the crucial arguments of security are flawed in deep, deep ways.

The first two types of problems above are perhaps forgivable: the  
paper was published back in 1997 and cryptographers are still arguing  
today about how exactly to formally define security for these kinds  
of protocols. The last problem, however, is more worrisome. In  
particular, the 'proof' of security for SRP shows (correctly) that in  
certain cases, the problem of breaking SRP is exactly the same as  
breaking Diffie-Hellman. That is, Diffie-Hellman is a *special case*  
of SRP. Therefore, if one can break *all* instances of SRP, then one  
can break Diffie-Hellman and thus SRP is as secure as Diffie-Hellman.

However, this last step is wrong, at least in the area of  
cryptography. If we were talking about NP-completeness, then yes,  
this argument would work. But in crypto, we can't necessarily judge a  
crypto primitive by its hardest case.  We need to talk about the  
ability of the adversary to break a non-negligible *fraction* of  
cases. After all, the above 'proof' of security leaves open the  
possibility that it is easy to break those instances of SRP (the vast  
majority, actually) which *don't* directly encode a Diffie-Hellman  
problem.

Of course, this flaw in the proof can be fixed. It is straightforward  
to do the proof right, and to show that a random instance of a Diffie- 
Hellman problem can be transformed into a random instance of the SRP  
protocol. But the flaw in the paper is worrisome. Is this a known  
problem that has been addressed by later literature? Does anyone know  
of an analysis of SRP that measures the protocol against any of the  
recently-formulated definitions of security [Bellare & Rogaway 1994;  
Bellare, Pointcheval & Rogaway 2000, Canetti et al 2005]? In other  
words, do we know more about the security of SRP than is contained in  
the original 1997 paper?

Thanks.

--
Jonathan Herzog
Cryptographic consulting
jherzog at jonathanherzog.com
www.jonathanherzog.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list