[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?
Carlo Contavalli
ccontavalli at gmail.com
Sun Aug 2 12:54:00 EDT 2015
Hello,
haven't seen many conversations or much noise about SRP, from
http://srp.stanford.edu/ on this mailing list.
By a quick reading, and by peeking at the implementation, it provides
strong mutual authentication of both client and server through a
"shared secret", which is stored as a one way hash on the server, and
never exchanged on the wire.
Eg, if used with ssh, checking the fingerprint when connecting would
be significantly less relevant, the fact that the server can establish
an encrypted session at all proves that the server knows a hash of the
shared secret.
Has drawbacks - but certainly sounds like an improvement compared to
existing protocols?
Are there / why are not similar technologies used for web?
I see two separate needs x509 certificates and TLS typically try to address:
1) establishing the identity of a site you connect to.
2) maintaining privacy and preventing mangling of the data exchanged.
If I think about my typical workflow, ... x509 and certificates would
still play a role the first time I end up on a site.
Eg, the first time I go to uber.com, or first time I register to use
my health plan benefits online, I would check that the certificate
matches who the site claims to be.
But from then on... once registered, and once I have a password, SRP
would allow me to establish that the remote end is who they claim to
be based on their ability to prove that they know a hash of my
password, the certificate would just be an additional protection?
Seems like a significant improvement over what we have today? Reducing
exposure, and need to trust certification authorities?
For example: a rogue certificate authority creates a false uber /
false health plan management site. Or a rogue certificate is installed
on my laptop. I try to login after this fake has been created, ... I
would not be able to login? or notice immediately? Or if they proxy my
connection acting as a MITM, they would not be able to decrypt my
data?
Opinions?
Carlo
More information about the cryptography
mailing list