[cryptography] SRP 6a + storage of password's related material strength?

Jeffrey Goldberg jeffrey at goldmark.org
Fri Mar 13 12:19:46 EDT 2015

On Mar 13, 2015, at 3:25 AM, Fabio Pietrosanti (naif) - lists <lists at infosecurity.ch> wrote:

> SRP is a very cool authentication protocol, not yet widely deployed, but
> with very interesting properties.

Indeed it is.

> I'm wondering how strong is considered the storage of the password's
> related material strength?

As others have said, these are separate properties. SRP is a independent
of the KDF. It does not solve or address the problem of password cracking.

> I mean, from a passive/offline brute forcing perspective, how can be
> compared scrypt vs. SRP's server-side storage of passwords?

As others have said, this is like comparing AES with PBKDF2. They
address different problems.

> Does anyone ever considered that kind of problem?

Yes. I have, but nothing written up yet.

One (of several) advantages of SRP is that the password is never
sent as plaintext to the server. Thus, it reduces the scope of the server
from capturing the password. So it makes it harder for the server to
“be evil”.

So this may still a worth while thing for you to pursue, even if it does’t
solve the fact that you are storing stuff that needs to be kept secret
because it can be cracked.

Also note, that if you are delivering the SRP routines to the client
in a web browser, then this gains you nothing. As a compromised
server could just deliver malicious JavaScript.  That is, your delivery
system is vulnerable to the same attacks that you are trying to
defend against by using SRP.

> Because SRP protocol is cool, but i'm really wondering if the default
> methods are "strong enough" against brute forcing.

Forgive the repetition of what I and others have said: SRP has nothing
to say about brute forcing.



More information about the cryptography mailing list