On Fri, Aug 22, 2008 at 3:12 PM, Pedro Melo <[EMAIL PROTECTED]> wrote: > Hi again, > > On Aug 22, 2008, at 10:58 PM, Pedro Melo wrote: >> >> On Aug 22, 2008, at 9:16 PM, Jonathan Schleifer wrote: >> >>> Am 22.08.2008 um 22:00 schrieb Pedro Melo: >>> >>>> SAS, I meant SAS. >>> >>> Just to be sure: What's the exact difference between SRP and SAS? I only >>> had a short look at SRP and it seemed pretty similar. >> >> The references I found: >> >> * SAS: >> http://www.ietf.org/internet-drafts/draft-barreto-ietf-dhhmac-sas-00.txt; > > A better reference for SAS, given our context of TLS, is this: > > https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-mcgrew-tls-sas.txt > > After doing the protocol you end up with a (minimal) 20bit SAS string. > > They recommend (section 5.2.1 Representing the SAS) that we use a base32 > representation. I personally prefer to use the mnemonic encoder > (http://tothink.com/mnemonic/) that gives me a set of three pronounceable > and distant words. > > Anyway, I prefer SAS because it simpler than SRP, given that I usually have > an alternative channel (not necessary a secure one). SRP usually requires > physical contact to exchange the secret, and if I'm with the person I want > to authenticate, I might as well compare the full signature...
In what was is it simpler than SRP? Both require a secure alternative channel for at least some value of secure. SAS requires an integrity protected side channel. SRP requires a confidential and integrity protected side channel, though the confidentiality window can be made arbitrarily short by doing the password exchange right before the handshake. -Ekr
