[EMAIL PROTECTED] writes:
> i've only just started reading, but i am puzzled by:
>
> > It is useful in situations where no authentic host key is
> > known. For Secure Shell, it can be used as a bootstrapping
> > procedure to get the host key of a server in a safe way.
>
> is this only the case if the verifier is kept secret?
Exactly. An attacker who knows the verifier (and can perform tricks
with DNS or routing to get a user to connect to the attacker instead
of the real server) can pretend to be the server, and hand out any
data he likes when the client tries to exec "cat /etc/lsh_host_key".
He can probably not perform a traditional MITM-attack, though, as he
needs the password itself to play the *user's* part of the protocol.
If you think of it, the server must have *some* secret, which
distinguishes it from rogue servers. With ssh's diffie-hellman
exchange, that secret is the private key. For SRP, it's the verifier.
/Niels
