OK, safe primes are "better" than ordinary primes in theory. But as I said, in practice, the strength of the authentication is based on the two random numbers, which are not exchanged. Any weakness of the price, group, or generator is of use for breaking the verifier, not the authentication or session key.
Is there any practical weakness for a non-safe prime of reasonable size? Probably not. On the other hand, there's no reason not since the only difference is a one-time cost for picking a prime. But the SRP test vectors are probably good enough. Google "attacks on SRP". For those less interested in the details, see http://srp.stanford.edu/advantages.html On 1/26/2016 8:54 AM, Mark Rotteveel wrote: > On Tue, 26 Jan 2016 08:35:53 -0500, James Starkey <j...@jimstarkey.net> > wrote: >> Is there any reasons to believe there are unsafe SRP primes? > http://tools.ietf.org/html/rfc5054: > > The group parameters (N, g) sent in this message MUST have N as a > safe prime (a prime of the form N=2q+1, where q is also prime). The > integers from 1 to N-1 will form a group under multiplication % N, > and g MUST be a generator of this group. In addition, the group > parameters MUST NOT be specially chosen to allow efficient > computation of discrete logarithms. > > The SRP group parameters in Appendix A satisfy the above > requirements, so the client SHOULD accept any parameters from this > appendix that have large enough N values to meet her security > requirements. > > The client MAY accept other group parameters from the server, if the > client has reason to believe that these parameters satisfy the above > requirements, and the parameters have large enough N values. For > example, if the parameters transmitted by the server match parameters > on a "known-good" list, the client may choose to accept them. See > Section 3 for additional security considerations relevant to the > acceptance of the group parameters. > > On http://srp.stanford.edu/design.html: > > N A large safe prime (N = 2q+1, where q is prime) > > On http://tools.ietf.org/html/rfc2945: > > For > maximum security, N should be a safe prime (i.e. a number of the form > N = 2q + 1, where q is also prime). > > Based on the above sources, I'd guess that more knowledgeable people than > me have arrived at the conclusion that some primes are better than others > when it comes to SRP :). The above also seems to imply that the values of N > and g can be chosen in a way to decrease security. > > Mark > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
