CryptKit 0.9: cryptsock
Paul Crowley
paul at JUNKCATCHER.ciphergoth.org
Sun Dec 2 21:26:10 EST 2001
Paul Rubin <phr-n2001d at nightsong.com> writes:
> Bryan <bryan at eevolved.com> writes:
> > Thanks for the link, it lead me to research other password-based
> > key-agreement schemes. I found Authentication and Key Agreement via
> > Memorable Password (
> > http://citeseer.nj.nec.com/kwon00authentication.html ) which claims
> > to be the most efficient of all of them ( EKE, PAK, SRP, GXY, AuthA
> > ). I believe I will implement AMP. Your input would be
> > appreciated.
>
> I'm not familiar with AMP. The SRP paper has references to some other
> protocols of this type though. Main problem I see is patent issues
> around many of them. I believe SRP was developed in order to avoid
> the EKE patent.
>
> I'm cross-posting to sci.crypt to solicit some wisdom from that
> newsgroup.
AMP carries a "proof of security", but I can't follow it, and I spoke
to an expert in this field who says he's not convinced by it either.
Furthermore, AMP has a similar problem to SRP, that a sufficiently
devious fake server can check two passwords with every query. That
the proof doesn't rule this out indicates some problems with it.
It's straightforward to propose a variant on AMP that doesn't have
this problem, and that variant may be secure, but I'd like to have a
better way to construct the proof of security for that.
As far as I can tell from the ResearchIndex URL, that paper hasn't
been published yet as such. I think the protocol has great merit and
I hope it does get published, though I don't see the advantages of the
"amplification scheme" over simply encrypting the password file with a
symmetric cipher.
If I was going to implement something now, I'd certainly use SRP.
--
__ Paul Crowley
\/ o\ sig at paul.ciphergoth.org
/\__/ Employ me! http://www.ciphergoth.org/cv
Cryptography, Linux, Unix, Perl, C/C++, Java, TCP/IP, and more.
More information about the Python-list
mailing list