[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?

Ben Laurie ben at links.org
Tue Sep 1 13:29:06 EDT 2015


On Fri, 7 Aug 2015 at 12:39 Ben Laurie <ben at links.org> wrote:

> On Wed, 5 Aug 2015 at 15:39 Carlo Contavalli <ccontavalli at gmail.com>
> wrote:
>
>> On Wed, Aug 5, 2015 at 3:07 AM, Ben Laurie <ben at links.org> wrote:
>> > On Wed, 5 Aug 2015 at 03:24 Carlo Contavalli <ccontavalli at gmail.com>
>> wrote:
>> >>
>> >> The cost on the user is in making sure he is entering the username and
>> >> password only in "secure boxes", rather than random ones on the web
>> >> site.
>> >
>> >
>> > This is the core problem - if we could get users to only type their
>> > passwords into the one true password box, then there are many viable
>> > solutions to "the password problem". But all attempts to do this so far
>> have
>> > been dismal failures.
>>
>> Out of curiosity, do you have more details about previous attempts?
>>
>
> Here's a paper that gives a pretty fair overview of the problem:
>
> https://cups.cs.cmu.edu/soups/2005/2005proceedings/p77-dhamija.pdf
>
> Unfortunately I can't find the study they claim they're going to do in
> that paper, but I do remember seeing it: it didn't work very well. Which is
> probably why I can't find it anymore.
>

And now I have found it, and it works even less well than I remembered:

http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4223213&tag=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150901/ec88c1ef/attachment.html>


More information about the cryptography mailing list