[cryptography] Secure Remote Password (SRP) and Plaintext Emil Address

Jeffrey Walton noloader at gmail.com
Thu Oct 18 21:21:32 EDT 2012

On Thu, Oct 18, 2012 at 9:03 PM, James A. Donald <jamesd at echeque.com> wrote:
> On 2012-10-19 10:52 AM, Jeffrey Walton wrote:
>> Hi All,
>> I have a Secure Remote Password (SRP) implementation that went through
>> a pen test. The testers provided a critical finding - the email
>> address was sent in the plaintext. Noe that plaintext email addresses
>> are part of the protocol.
>> I'm not really convinced that using an email address in the plaintext
>> for the SRP protocol is finding-worthy, considering email addresses
>> are public information. And I'm very skeptical that its a critical
>> finding.
>> With that said, what are the options here? I was thinking a simple
>> mask function, which would remove the "plaintext-ness" (but not add
>> any security to the system). Heuristically, masking the email address
>> is *not* less secure than sending the email in the plaintext.
>> Any ideas?
> Please describe protocol
With lots of hand waiving, SRP is a PAKE that utilizes Diffie-Hellman.
Rather than g^ab, SRP uses g^password, plus random values from client
and server for each instance of the protocol. On the server, the
server stores a {email, salt, Hash(password)} tuple - it looks a lot
like a Unix password file.

The IETF specifications are available at
http://www.ietf.org/rfc/rfc2945.txt (SRP-3) and
http://tools.ietf.org/rfc/rfc5054.txt (SRP-6). SRP-3 is similar to
Thomas Wu's original specification while at Stanford. SRP-6 is
hammering SRP into the SSL/TLS hole.

> I conjecture that it works as username and password, and the email addresses
> are the username.  If so, why not make a one way hash of the email address
> the username, rather than the plaintext email address?
Yes, your intuition is correct.


More information about the cryptography mailing list