Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:17:30 ADT
David Jablon (dpj@world.std.com)
Wed, 20 May 1998 08:50:38 -0400
>On Tue, 19 May 1998, David Jablon wrote:
>> With regard to Kerberos "more mature" == less secure. In fact, SRP-3,
>> B-SPEKE, and A-EKE were specifically designed to prevent known attacks
>> that succeed against Kerberos. [...]
At 08:51 PM 5/19/98 -0700, Greg Noel wrote:
>Hey, I like SRP or I wouldn't have mentioned it. And it probably is
>stronger than Kerberos. I'm even proposing to use it in a project I
>want to do.
>But it's only a couple of years old. Even though the theory is good,
>earlier versions of it were broken due to small implementation details.
>There's no way to _prove_ that such a detail won't trip up the current
>version.
Age is an unreliable factor. SRP-3 is actually less than a year old,
and SRP-1 was broken due to flaws in protocol *design* -- not
just implementation detail. SPEKE is more than a year older,
and EKE a few more. But one of the oldest EKE protocols was
recently broken. Yet, even the "broken" forms of these
protocols are still often stronger than any older alternatives.
While it may be true that there's no general way to prove
the absence of *implementation* flaws, this concern exists
with any protocol. Given the choice between an uncertain
implementation of a weak protocol vs. a strong one, I'd
choose the latter.
It also seems that any vendor who cares enough to consider
a strong protocol is likely to take more care to avoid
mundane programming errors, at least more than vendors who
turn a blind-eye to these problems.
>I respect the opinions of those who've evaluated the protocol; I'll even
>agree that it doesn't have any obvious flaws. I'm obviously willing to
>trust it to some extent or it wouldn't be in my project proposal.
>
>In five or ten years we'll know if it's as secure as it appears. Until
>then, the age of the protocol is something that should be considered in
>the risk assessment.
Of course. But it doesn't necessarily take a long time
to evaluate a new protocol, especially when it builds upon
earlier work. DH-EKE is a form of Diffie-Hellman with
password-encrypted exponentials. SRP-3 is a further refinement
of a dual DH exchange. SPEKE is DH with a password-derived
generator, with fewer constraints on how it uses DH.
Even if you allow for design flaws, it is trivial
to use these protocols to guarantee strength at least no
weaker than older methods. For example, if you like
other things about Kerberos, instead of using a password as
the key for encrypting the TGT, use key = SHA1(password, K),
where K comes from a strong password-authenticated exchange.
Build from there.
>And if his current problem is sending passwords across in the clear, any
>of the methods are vastly to be prefered.
I agree. But I've also heard arguments that 40-bit encryption is
worse than nothing, as it mainly gives the illusion of security.
Challenge/response, original Kerberos, and other old password
methods are roughly equivalent to this.
>BTW, that's a very cool page with a lot of good info.
>> [...] <http://world.std.com/~dpj/>
Thanks.
------------------------------------
David Jablon
Integrity Sciences, Inc.
dpj@world.std.com
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:17:30 ADT