[cryptography] Client-side SRP "vs." server-side KDF

Patrick Mylund Nielsen cryptography at patrickmylund.com
Wed Aug 15 20:46:58 EDT 2012

Blizzard Entertainment has been receiving a lot of flak from tech and mass
media lately for choosing to employ SRP in their Battle.net clients and
games. A lot of these outlets have been suggesting that SRP is "weaker"
than KDFs, and that Blizzard switch out SRP on the client side for a KDF on
the server side. That seems to me a very apples-to-oranges comparison
(indeed akin to blaming Diffie-Hellman key exchange for the fact that DES
is easy to break,) and indeed would only replace one security issue (weak
password digests/verifiers on the server) for another (susceptibility to
network eaves-dropping.) As far as I know, the SRP authors never made any
claim about the verifiers being hardened against dictionary attacks.

It seems to me that a strong KDF on the client side, like PBKDF2 or scrypt
(optionally with a salt managed by the server,) coupled with a
non-reproducible proof of some sort, like SRP, would be the ideal solution,
not one or the other. What do you think?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120816/dc050bc0/attachment.html>

More information about the cryptography mailing list