Re: [cryptography] SRP 6a + storage of password's related material strength?
On Fri, Mar 13, 2015 at 5:06 PM, Fabio Pietrosanti (naif) - lists wrote: > On 3/13/15 3:11 PM, Solar Designer wrote: >>> Because SRP protocol is cool, but i'm really wondering if the default >>> methods are "strong enough" against bruteforcing. >> They are not. > That was my concern. > > Does anyone ever tried to make SRP authentication protocol > extensions/specs to work with server-side storage of hashes based on scrypt? > I believe the SRP verifiers are the equivalent to a salted, digested password in traditional password-based systems. (Some hand waiving - for example, the verifiers are taken modulo n). If Scrypt provides the same security properties as provided by SHA and Whirlpool, then Scrypt should be a compatible replacement. It should not matter that Scrypt provides more security properties (namely, the memory hardness). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On 3/13/15 3:11 PM, Solar Designer wrote: >> Because SRP protocol is cool, but i'm really wondering if the default >> methods are "strong enough" against bruteforcing. > They are not. That was my concern. Does anyone ever tried to make SRP authentication protocol extensions/specs to work with server-side storage of hashes based on scrypt? >From my umble understanding of crypto, it would be like "leveraging the best properties" of SRP authentication protocol and scrypt password hashing. But yet, my poor-math brain have difficulties understanding if that's feasible or it's just a stupid consideration. Fabio ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On Mar 13, 2015, at 3:25 AM, Fabio Pietrosanti (naif) - lists wrote: > SRP is a very cool authentication protocol, not yet widely deployed, but > with very interesting properties. Indeed it is. > I'm wondering how strong is considered the storage of the password's > related material strength? As others have said, these are separate properties. SRP is a independent of the KDF. It does not solve or address the problem of password cracking. > I mean, from a passive/offline brute forcing perspective, how can be > compared scrypt vs. SRP's server-side storage of passwords? As others have said, this is like comparing AES with PBKDF2. They address different problems. > Does anyone ever considered that kind of problem? Yes. I have, but nothing written up yet. One (of several) advantages of SRP is that the password is never sent as plaintext to the server. Thus, it reduces the scope of the server from capturing the password. So it makes it harder for the server to “be evil”. So this may still a worth while thing for you to pursue, even if it does’t solve the fact that you are storing stuff that needs to be kept secret because it can be cracked. Also note, that if you are delivering the SRP routines to the client in a web browser, then this gains you nothing. As a compromised server could just deliver malicious JavaScript. That is, your delivery system is vulnerable to the same attacks that you are trying to defend against by using SRP. > Because SRP protocol is cool, but i'm really wondering if the default > methods are "strong enough" against brute forcing. Forgive the repetition of what I and others have said: SRP has nothing to say about brute forcing. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On Fri, Mar 13, 2015 at 9:25 AM, Fabio Pietrosanti (naif) - lists wrote: > Hi all, > > SRP is a very cool authentication protocol, not yet widely deployed, but > with very interesting properties. > > I'm wondering how strong is considered the storage of the password's > related material strength? > > I mean, from a passive/offline brute forcing perspective, how can be > compared scrypt vs. SRP's server-side storage of passwords? > > Does anyone ever considered that kind of problem? > > Because SRP protocol is cool, but i'm really wondering if the default > methods are "strong enough" against bruteforcing. scrypt Vs. SRP? There is no such dilemma, as they serve different purposes. The reality is that you should use your password hashing scheme of choice --- say scrypt --- *and*, if you want to get rid of the X.509 PKI business, your PAKE protocol of choice --- say SRP 6a --- to provide mutual authentication. Yet, you need to be very careful if you adopt SRP: If an attacker learns a user's SRP verifier (e.g., by gaining access to a server's password file), the attacker can masquerade as the real server to that user, and can also attempt a dictionary attack to recover that user's password. [RFC5054] The cost of a password recovery attack against the SRP password verifier (i.e., preimage security) will dependent on the known attacks to the hashing scheme used to instantiate the SRP protocol. More specifically, if the hashing scheme is a simple hash function, offline dictionary attacks will be easy to mount and you will get no security whatsoever. Still, if the (password) hashing scheme provides better security guarantees (e.g., scrypt) the final construction will benefit from its adoption. In fact: as long as the password verifier remains opaque to the server, it is possible to retain some freedom of choice for the hashing scheme used client-slide (i.e., the client computes x = scrypt(passphrase,salt,C,password,dkLen) and v = g^x mod N and the server stores {I,salt,v}, where I the user identity, salt is the user's salt, and v the password verifier). At the same time, replacing a cryptographic hash function with a password-based KDF makes the overall password-management harder and impacts the UX... Take care. [RFC5054] http://www.ietf.org/rfc/rfc5054.txt -- Alfonso tweets @secYOUre ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] SRP 6a + storage of password's related material strength?
On Fri, Mar 13, 2015 at 10:25:11AM +0100, Fabio Pietrosanti (naif) - lists wrote: > SRP is a very cool authentication protocol, not yet widely deployed, but > with very interesting properties. > > I'm wondering how strong is considered the storage of the password's > related material strength? > > I mean, from a passive/offline brute forcing perspective, how can be > compared scrypt vs. SRP's server-side storage of passwords? scrypt focuses on addressing this very problem. SRP does not. > Does anyone ever considered that kind of problem? Yes: https://twitter.com/JokFP/status/234074891408793600 http://opine.me/blizzards-battle-net-hack/ http://opine.me/srp-to-sha1/ > Because SRP protocol is cool, but i'm really wondering if the default > methods are "strong enough" against bruteforcing. They are not. Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] SRP 6a + storage of password's related material strength?
Hi all, SRP is a very cool authentication protocol, not yet widely deployed, but with very interesting properties. I'm wondering how strong is considered the storage of the password's related material strength? I mean, from a passive/offline brute forcing perspective, how can be compared scrypt vs. SRP's server-side storage of passwords? Does anyone ever considered that kind of problem? Because SRP protocol is cool, but i'm really wondering if the default methods are "strong enough" against bruteforcing. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography