Status of SRP

The obvious solution to the phishing crisis is the
widespread deployment 
of SRP, but this does not seem to happening.  SASL-SRP was
recently 
dropped.  What is the problem?

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

* James A. Donald:

> The obvious solution to the phishing crisis is the
widespread
> deployment of SRP, but this does not seem to happening.
 SASL-SRP was
> recently dropped.  What is the problem?

There is no way to force an end user to enter a password
only over
SRP.  That's why SRP is not effective against phishing
(even the
mimicry variant).  In that regard, the password input field
was a huge
mistake.  Fortunately, it doesn't matter because today, we
must assume
that the client is thoroughly compromised, which means that
entering
passwords over SRP isn't safe, either.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Quoting "James A. Donald" <jamesdecheque.com>:

> The obvious solution to the phishing crisis is the
widespread 
> deployment of SRP, but this does not seem to happening.
 SASL-SRP was 
> recently dropped.  What is the problem?

Patents.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media
Laboratory
       Member, MIT Student Information Processing Board 
(SIPB)
       URL: http://web.mit.edu/warlor
d/    PP-ASEL-IA     N1NWH
       warlordMIT.EDU                        PGP key
available


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

James A. Donald wrote:
> The obvious solution to the phishing crisis is the
widespread
> deployment of SRP, but this does not seem to happening.
 SASL-SRP was
> recently dropped.  What is the problem?

I disagree here, I don't think this will stop phishing for
many reasons.
Please explain how it would. It will stop
"man-in-the-middle" attacks on
the protocol, but phishers aren't attacking the protocols
themselves.

It's still single-auth and I can still obtain the user
password via
phishing. Please correct me if I'm wrong but phishing is
before this
protocol will be accessed.

if Mallory convinces Carol to log into a spoofed site that
looks like
Steve not running SRP, then u and x are obtained by Mallory.
Mallory
simply logs into Steve with U and X.

In SRP what is preshared is g^x where x = H(s,p) where s is
a salt and p
is the password.

p would be a weakness here because the user knows it, and in
phishing,
if the user knows it, the user is vulnerable.

My 2 cents.
>
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to
> majordomometzdowd.com
>
>


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://securescience.net/home/news/phishingexposed.html
**********************************************
* New IntelliFound Service 2 weeks free	     *
* Real-Time Identity Surveillance Service    *
* http://www.securescienc
e.net/		     *
**********************************************


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Wed, May 31, 2006 at 09:41:57AM +1000, James A. Donald
wrote:

> The obvious solution to the phishing crisis is the
widespread deployment 
> of SRP, but this does not seem to happening.  SASL-SRP
was recently 
> dropped.  What is the problem?

The obvious solution is perhaps more difficult to deploy in
an environment
where loss of ubiquitous access trumps security gains. It
takes years to
*field* new infrastructure. When the designer calls the
problem solved,
the real work begins, or not, if the market is not yet ready
for the
solution.

-- 

 /"\ ASCII RIBBON                  NOTICE: If
received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and
notify
  X AGAINST       IT Security,     sender. Sender does not
waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or
privilege,
                                   and use is prohibited.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Wed, 31 May 2006, James A. Donald wrote:
> The obvious solution to the phishing crisis is the
widespread deployment
> of SRP, but this does not seem to happening.  SASL-SRP
was recently
> dropped.  What is the problem?

"Phishing" can mean a few different things.  If
by "phishing" you
mean the stealing of passwords, then yes, SRP would help to
eliminate
that problem, but users could still be fooled into giving
away their
SRP passwords if the user interface for entering the
password is
convincingly imitated.

Some people use "phishing" to refer to the
online capture of
identity-related information in general, in which case SRP
falls
far short of a complete solution.  I think it's a
difference in
philosophy: some see passwords as the ultimate goal; some
see
passwords as one of many possible means to the ultimate end,
which
is identity theft.

I'm working on Passpet, a password management tool that
tries to
address several of the big phishing-related problems
including
password capture and dictionary attack, and for the
authentication
part i chose SRP.  So that's one place it's getting used,
anyway.


-- ?!ng

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

James A. Donald wrote:
> The obvious solution to the phishing crisis is the
widespread deployment
> of SRP, but this does not seem to happening.  SASL-SRP
was recently
> dropped.  What is the problem?

Unfortunately, SRP is not the solution to the phishing
problem.
The phishing problem is made up of many subtle sub-problems
involving
the ease of spoofing a web site and the challenges involved
in securing
the enrollment and password change mechanisms.  SRP would
allow a client
to know that a service is in fact the correct service when
the
authentication succeeds.  However, it would not help in the
situation
when the authentication fails.  This could be because the
user is not
sure of what the password is or even sure which account name
was being
used.

Solving the phishing problem requires changes on many
levels:

(1) Some form of secure chrome for browsers must be deployed
where
    the security either comes from a "trusted
desktop" or by per-user
    customizations that significantly decrease the chances
that the
    attacker can fake the web site experience.  (Prevent the
attacker
    from replicating the browser frame, toolbars, lock
icons,
    certificate dialogs, etc.)

(2) Reducing the number of accounts and passwords (or other
identifiers)
    that end users need to remember.  With a separate
identifier for
    each and every web site it is no surprise that my
extended family
    can never remember what was used at each site.  
Therefore, it is
    not much of a surprise when a site says that the
authentication
    failed.

(3) Secure mechanisms must be developed for handling
enrollment and
    password changing.

Only then can we truly address the phishing problem.

Jeffrey Altman

On 5/30/06, Derek Atkins <warlordmit.edu> wrote:
> Quoting "James A. Donald" <jamesdecheque.com>:
> > The obvious solution to the phishing crisis is the
widespread
> > deployment of SRP, but this does not seem to
happening.  SASL-SRP was
> > recently dropped.  What is the problem?
>
> Patents.

Seconded.  When I was doing some software development, we
investigated
strong password solutions, and to my knowledge they were all
under the
shadow of patents.

In the end, it didn't matter, since I was using it in a
distributed
IDS system, and users weren't necessarily going to be
present, even at
boot.  For machine-to-machine authentication, they're
irrelevant
(assuming a good source of unpredictability).  For
everything but
first-time authentication between the browser and the site,
and key
changes, they can be ignored in favor of cached keys (a la
ssh) if you
can design a UI that presents them in an easy-to-understand
manner.

Rumor has it that Vista will send every URL visited to
Microsoft for
vetting against a blacklist ostensibly to protect users
against
phishing*, which I suppose trades one problem for another,
although
for most people's concerns it's probably a win, since
they're running
a MS product in the first place.  It can allegedly be turned
off.

[*] When it was announced that the low-cost Asian version of
Windows
would only be able to run a limited number of programs at
once (I
think it was four), MS's PR department described the limit
as being
there to "reduce confusion".  That's either
insulting to all Asian's
intelligence, or everyone's, depending on how credulous you
are.  I
wonder how much they get paid to come up with things like
that.
-- 
Scientia Est Potentia -- Eppur Si Muove
Security "guru" for rent or hire - http://www.li
ghtconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098
0C55 1484

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Thu, 1 Jun 2006, Jeffrey Altman wrote:
> Solving the phishing problem requires changes on many
levels:

I agree.

> (1) Some form of secure chrome for browsers must be
deployed where
>     the security either comes from a "trusted
desktop" or by per-user
>     customizations that significantly decrease the
chances that the
>     attacker can fake the web site experience.

What do you think of the various trusted-path ideas that
have been
proposed?  In particular i'm curious what you think of the
solution
i currently favour (the customized toolbar button), but some
of the
others certainly seem promising (such as PwdHash's special
hotkey
at the beginning of a password).

> (2) Reducing the number of accounts and passwords (or
other identifiers)
>     that end users need to remember.

Password hashing is one way to deal with this.  In
Passpet's case,
the password is generated by hashing a master secret with a
label
that you provide for each site.

> (3) Secure mechanisms must be developed for handling
enrollment and
>     password changing.

With Passpet, you would click the button to fill in the
password on a
new account registration form, which generates a unique
password for
the site.  To change your password, you would go to the
site's account
settings page, click the button to fill in your old
password, edit the
site label, then click the button again to get a new
password.

Does that address the issues you had in mind, or were you
thinking of
other situations?


-- ?!ng

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

     --
Jeffrey Altman wrote:
 > Unfortunately, SRP is not the solution to the phishing
 > problem. The phishing problem is made up of many
 > subtle sub-problems involving the ease of spoofing a
 > web site and the challenges involved in securing the
 > enrollment and password change mechanisms.

With SRP, the web site cannot be spoofed, for it must
prove it knows the  user's secret passphrase.

Now Wagner keeps complaining that the users are complete
morons, who could be taken in by a very shoddy spoof,
and no doubt that is true, but right now it is possible
to make a very good spoof, and that can be fixed.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      K0DkzvBcnUAkU1t725Cg9Fmh6awjA9b9S8SmmanA
      4HYHXPVEWxmojVTOmRDh7L/Eu6KRWMz3WCh5tL2Eq


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com