Re: [cryptography] SRP 6a + storage of password's related material strength?
On Fri, Mar 13, 2015 at 5:06 PM, Fabio Pietrosanti (naif) - lists li...@infosecurity.ch wrote: On 3/13/15 3:11 PM, Solar Designer wrote: Because SRP protocol is cool, but i'm really wondering if the default methods are strong enough against bruteforcing. They are not. That was my concern. Does anyone ever tried to make SRP authentication protocol extensions/specs to work with server-side storage of hashes based on scrypt? I believe the SRP verifiers are the equivalent to a salted, digested password in traditional password-based systems. (Some hand waiving - for example, the verifiers are taken modulo n). If Scrypt provides the same security properties as provided by SHA and Whirlpool, then Scrypt should be a compatible replacement. It should not matter that Scrypt provides more security properties (namely, the memory hardness). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On 3/13/15 3:11 PM, Solar Designer wrote: Because SRP protocol is cool, but i'm really wondering if the default methods are strong enough against bruteforcing. They are not. That was my concern. Does anyone ever tried to make SRP authentication protocol extensions/specs to work with server-side storage of hashes based on scrypt? From my umble understanding of crypto, it would be like leveraging the best properties of SRP authentication protocol and scrypt password hashing. But yet, my poor-math brain have difficulties understanding if that's feasible or it's just a stupid consideration. Fabio ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] SRP 6a + storage of password's related material strength?
Hi all, SRP is a very cool authentication protocol, not yet widely deployed, but with very interesting properties. I'm wondering how strong is considered the storage of the password's related material strength? I mean, from a passive/offline brute forcing perspective, how can be compared scrypt vs. SRP's server-side storage of passwords? Does anyone ever considered that kind of problem? Because SRP protocol is cool, but i'm really wondering if the default methods are strong enough against bruteforcing. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On Fri, Mar 13, 2015 at 9:25 AM, Fabio Pietrosanti (naif) - lists
li...@infosecurity.ch wrote:
Hi all,
SRP is a very cool authentication protocol, not yet widely deployed, but
with very interesting properties.
I'm wondering how strong is considered the storage of the password's
related material strength?
I mean, from a passive/offline brute forcing perspective, how can be
compared scrypt vs. SRP's server-side storage of passwords?
Does anyone ever considered that kind of problem?
Because SRP protocol is cool, but i'm really wondering if the default
methods are strong enough against bruteforcing.
scrypt Vs. SRP? There is no such dilemma, as they serve different
purposes. The reality is that you should use your password hashing
scheme of choice --- say scrypt --- *and*, if you want to get rid of
the X.509 PKI business, your PAKE protocol of choice --- say SRP 6a
--- to provide mutual authentication.
Yet, you need to be very careful if you adopt SRP:
If an attacker learns a user's SRP verifier (e.g., by gaining access
to a server's password file), the attacker can masquerade as the real
server to that user, and can also attempt a dictionary attack to
recover that user's password. [RFC5054]
The cost of a password recovery attack against the SRP password
verifier (i.e., preimage security) will dependent on the known attacks
to the hashing scheme used to instantiate the SRP protocol. More
specifically, if the hashing scheme is a simple hash function, offline
dictionary attacks will be easy to mount and you will get no security
whatsoever. Still, if the (password) hashing scheme provides better
security guarantees (e.g., scrypt) the final construction will benefit
from its adoption.
In fact: as long as the password verifier remains opaque to the
server, it is possible to retain some freedom of choice for the
hashing scheme used client-slide (i.e., the client computes x =
scrypt(passphrase,salt,C,password,dkLen) and v = g^x mod N and the
server stores {I,salt,v}, where I the user identity, salt is the
user's salt, and v the password verifier).
At the same time, replacing a cryptographic hash function with a
password-based KDF makes the overall password-management harder and
impacts the UX...
Take care.
[RFC5054] http://www.ietf.org/rfc/rfc5054.txt
-- Alfonso
tweets @secYOUre
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On Fri, Mar 13, 2015 at 10:25:11AM +0100, Fabio Pietrosanti (naif) - lists wrote: SRP is a very cool authentication protocol, not yet widely deployed, but with very interesting properties. I'm wondering how strong is considered the storage of the password's related material strength? I mean, from a passive/offline brute forcing perspective, how can be compared scrypt vs. SRP's server-side storage of passwords? scrypt focuses on addressing this very problem. SRP does not. Does anyone ever considered that kind of problem? Yes: https://twitter.com/JokFP/status/234074891408793600 http://opine.me/blizzards-battle-net-hack/ http://opine.me/srp-to-sha1/ Because SRP protocol is cool, but i'm really wondering if the default methods are strong enough against bruteforcing. They are not. Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On Mar 13, 2015, at 3:25 AM, Fabio Pietrosanti (naif) - lists li...@infosecurity.ch wrote: SRP is a very cool authentication protocol, not yet widely deployed, but with very interesting properties. Indeed it is. I'm wondering how strong is considered the storage of the password's related material strength? As others have said, these are separate properties. SRP is a independent of the KDF. It does not solve or address the problem of password cracking. I mean, from a passive/offline brute forcing perspective, how can be compared scrypt vs. SRP's server-side storage of passwords? As others have said, this is like comparing AES with PBKDF2. They address different problems. Does anyone ever considered that kind of problem? Yes. I have, but nothing written up yet. One (of several) advantages of SRP is that the password is never sent as plaintext to the server. Thus, it reduces the scope of the server from capturing the password. So it makes it harder for the server to “be evil”. So this may still a worth while thing for you to pursue, even if it does’t solve the fact that you are storing stuff that needs to be kept secret because it can be cracked. Also note, that if you are delivering the SRP routines to the client in a web browser, then this gains you nothing. As a compromised server could just deliver malicious JavaScript. That is, your delivery system is vulnerable to the same attacks that you are trying to defend against by using SRP. Because SRP protocol is cool, but i'm really wondering if the default methods are strong enough against brute forcing. Forgive the repetition of what I and others have said: SRP has nothing to say about brute forcing. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
