On 2012-10-19 10:52 AM, Jeffrey Walton wrote:
Hi All,
I have a Secure Remote Password (SRP) implementation that went through
a pen test. The testers provided a critical finding - the email
address was sent in the plaintext. Noe that plaintext email addresses
are part of the protocol.
I'm not really convinced that using an email address in the plaintext
for the SRP protocol is finding-worthy, considering email addresses
are public information. And I'm very skeptical that its a critical
finding.
With that said, what are the options here? I was thinking a simple
mask function, which would remove the "plaintext-ness" (but not add
any security to the system). Heuristically, masking the email address
is *not* less secure than sending the email in the plaintext.
Any ideas?
Jeff
_______________________________________________
Please describe protocol
I conjecture that it works as username and password, and the email
addresses are the username. If so, why not make a one way hash of the
email address the username, rather than the plaintext email address?
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
