[cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

Jeffrey Walton noloader at gmail.com
Thu Oct 18 20:52:36 EDT 2012


Hi All,

I have a Secure Remote Password (SRP) implementation that went through
a pen test. The testers provided a critical finding - the email
address was sent in the plaintext. Noe that plaintext email addresses
are part of the protocol.

I'm not really convinced that using an email address in the plaintext
for the SRP protocol is finding-worthy, considering email addresses
are public information. And I'm very skeptical that its a critical
finding.

With that said, what are the options here? I was thinking a simple
mask function, which would remove the "plaintext-ness" (but not add
any security to the system). Heuristically, masking the email address
is *not* less secure than sending the email in the plaintext.

Any ideas?

Jeff



More information about the cryptography mailing list