On Mar 13, 2015, at 3:25 AM, Fabio Pietrosanti (naif) - lists <li...@infosecurity.ch> wrote:
> SRP is a very cool authentication protocol, not yet widely deployed, but > with very interesting properties. Indeed it is. > I'm wondering how strong is considered the storage of the password's > related material strength? As others have said, these are separate properties. SRP is a independent of the KDF. It does not solve or address the problem of password cracking. > I mean, from a passive/offline brute forcing perspective, how can be > compared scrypt vs. SRP's server-side storage of passwords? As others have said, this is like comparing AES with PBKDF2. They address different problems. > Does anyone ever considered that kind of problem? Yes. I have, but nothing written up yet. One (of several) advantages of SRP is that the password is never sent as plaintext to the server. Thus, it reduces the scope of the server from capturing the password. So it makes it harder for the server to “be evil”. So this may still a worth while thing for you to pursue, even if it does’t solve the fact that you are storing stuff that needs to be kept secret because it can be cracked. Also note, that if you are delivering the SRP routines to the client in a web browser, then this gains you nothing. As a compromised server could just deliver malicious JavaScript. That is, your delivery system is vulnerable to the same attacks that you are trying to defend against by using SRP. > Because SRP protocol is cool, but i'm really wondering if the default > methods are "strong enough" against brute forcing. Forgive the repetition of what I and others have said: SRP has nothing to say about brute forcing. Cheers, -j _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
