Prev: If we could factor large numbers quickly, how exactly does everything break?
Next: Decoding string
From: yawnmoth on 31 Mar 2010 10:57
Say you have a PHP app that handles authentication by handing it off
to an LDAP server. If the username / password log into the LDAP
server you're logged into the PHP app. With this kind of setup,
DIGEST-MD5 doesn't work because that requires the password or a hash
of it be retrievable and although the LDAP server could no doubt
retrieve it the PHP app can't.

My question is... does the Secure Remote Password protocol have a
similar restriction? Does it require the password or a hash of it be
retrievable?
From: Scott Fluhrer on 31 Mar 2010 12:02

"yawnmoth" <terra1024(a)yahoo.com> wrote in message
news:487e3cb1-128f-4053-8ae1-b1b45d39a40d(a)g28g2000yqh.googlegroups.com...
> Say you have a PHP app that handles authentication by handing it off
> to an LDAP server. If the username / password log into the LDAP
> server you're logged into the PHP app. With this kind of setup,
> DIGEST-MD5 doesn't work because that requires the password or a hash
> of it be retrievable and although the LDAP server could no doubt
> retrieve it the PHP app can't.
>
> My question is... does the Secure Remote Password protocol have a
> similar restriction? Does it require the password or a hash of it be
> retrievable?

Yes. SRP is effectively a secure computation of X=Y (where one side
provides X, and the other side provides Y), along with providing a shared
secret if the answer is "Yes". As a part of this, SRP uses the actual
values of X and Y.

So, if you can't provide a value of 'X' (either the password itself, or some
hashed version), you cannot use SRP (or EKE or the like)

This isn't just how SRP happens to work; there is a conflict between the SRP
security properties, and what the system can actually achieve. This can be
seen by looking at the security goals of SRP; one of the things it tries to
do is ensure that if an attacker poses as a host, and an authorized user
tries to log in, the attacker cannot learn the password (except for
possibility excluding one candidate password). Now, if the host had an
internal primitive that tested 'is X the correct password', and had no other
means of verifying the password, then no matter what protocol the host ran,
the attacker could run exactly the same logic as the actual host, and when
it came to that primitive, just take the value X. Hence, if that sort of
primitive is the only way the host can use to validate passwords, then it
cannot provide the same security properties that SRP would provide.

--
poncho


 | 
Pages: 1
Prev: If we could factor large numbers quickly, how exactly does everything break?
Next: Decoding string