[cryptography] Client-side SRP "vs." server-side KDF

Solar Designer solar at openwall.com
Wed Aug 15 21:59:35 EDT 2012

On Thu, Aug 16, 2012 at 02:46:58AM +0200, Patrick Mylund Nielsen wrote:
> Blizzard Entertainment has been receiving a lot of flak from tech and mass
> media lately for choosing to employ SRP in their Battle.net clients and
> games. A lot of these outlets have been suggesting that SRP is "weaker"
> than KDFs, and that Blizzard switch out SRP on the client side for a KDF on
> the server side. That seems to me a very apples-to-oranges comparison
> (indeed akin to blaming Diffie-Hellman key exchange for the fact that DES
> is easy to break,) and indeed would only replace one security issue (weak
> password digests/verifiers on the server) for another (susceptibility to
> network eaves-dropping.) As far as I know, the SRP authors never made any
> claim about the verifiers being hardened against dictionary attacks.

Indeed.  It would be best for Blizzard to add a decent KDF, but continue
using SRP as well.

Meanwhile, this apparent leak of SRP verifiers has resulted in us adding
support to John the Ripper - initially for Blizzard's revision of SRP
based on publicly available information (reverse-engineered by others).
For this one, we're getting speeds of up to about 70k combinations (of
{candidate password, target verifier}) per second per CPU core - that's
using a 64-bit build of GMP (with OpenSSL's modexp code the speeds are
somewhat lower; ditto on 32-bit).

Apparently, Blizzard has since moved away from the 256-bit modulus, so
speeds for more recently changed passwords may be lower.

However, much of this is speculation.  We don't actually have access to
the presumably leaked Blizzard SRP verifiers.  Has anyone in here
actually seen those?  We'd like to verify that our code is actually
working right.

Disclaimer and credit: I did not work on the JtR implementation myself;
JimF did.


More information about the cryptography mailing list