[cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

James A. Donald jamesd at echeque.com
Thu Oct 18 21:03:18 EDT 2012

On 2012-10-19 10:52 AM, Jeffrey Walton wrote:
> Hi All,
> I have a Secure Remote Password (SRP) implementation that went through
> a pen test. The testers provided a critical finding - the email
> address was sent in the plaintext. Noe that plaintext email addresses
> are part of the protocol.
> I'm not really convinced that using an email address in the plaintext
> for the SRP protocol is finding-worthy, considering email addresses
> are public information. And I'm very skeptical that its a critical
> finding.
> With that said, what are the options here? I was thinking a simple
> mask function, which would remove the "plaintext-ness" (but not add
> any security to the system). Heuristically, masking the email address
> is *not* less secure than sending the email in the plaintext.
> Any ideas?
> Jeff
> _______________________________________________
Please describe protocol

I conjecture that it works as username and password, and the email 
addresses are the username.  If so, why not make a one way hash of the 
email address the username, rather than the plaintext email address?

More information about the cryptography mailing list