Secure Remote Password protocol (opens in new tab)

(en.wikipedia.org)

17 pointsDorothySim8y ago19 comments

19 comments

While this is interesting historical reading, SRP is badly outdated and should not be used for any newly built systems. It has a lot of non-obvious failure modes around parameter handling and offline password cracking that have broken the authentication mechanism in every implementation I've seen in the real world (new implementations, not when using large packages such as OpenSSL).

Furthermore, PAKEs are of relatively limited utility; in almost every situation you could use a PAKE, there is a better, more battle-tested alternative. You will be much less likely to have complete authentication bypass in your system if you use mutual TLS rather than a PAKE.

If you have to use a PAKE, use a reviewed implementation of SPAKE2. Oh wait, there aren't any. Don't use a PAKE.

tptacek8y ago

A nit: even compared to some recent designs, SRP is pretty thoughtful about offline password cracking. It's not as expensive to crack as a real password hash, but far more expensive than other PAKEs.

tprynn8y ago

I haven't read enough about the other PAKEs to know what offline attacks look like there, but the fact that they are endemic to PAKEs is a total footgun.

For example, one implementation of SRP I looked at used 8-digit codes (e.g. 12345678) to connect new devices to a network. Eight digits was enough to prevent brute-forcing by repeatedly sending codes to the server, but not enough to prevent an attacker from MITMing the connection and brute-forcing the code offline, because the server was using a bad RNG.

2 more replies

motive8y ago

I thought I remembered 1Password using SRP (https://blog.agilebits.com/2015/11/11/how-1password-for-team...).

I admittedly don't know enough about the underlying cryptography to have an educated opinion, but it seems like they put some due diligence into determining it still provided value.

tprynn8y ago

1Password uses TLS, and SRP inside TLS. If TLS is broken as in Cloudbleed, SRP hopefully still protects the channel - at least against non-active attacks such as Cloudbleed. The security still ultimately relies on TLS. Having not read the document fully, I think those would be against initial registration or in an active MITM allowing password-guessing. I'm looking at page 52 of https://1password.com/teams/white-paper/1Password%20for%20Te....

MDrollette8y ago

I'm curious why ProtonMail would have chosen SRP given your comments. https://protonmail.com/blog/encrypted_email_authentication/

tprynn8y ago

I don't think you'll find many people in the security industry who think ProtonMail is anything but a joke. I'll leave you with this (written by 'tptacek): https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

technion8y ago

As always, a relevant demonstration:

https://cryptopals.com/sets/5/challenges/37

alfalfasprout8y ago

This sounds like ephemeral diffie hellman. Is that still protected by patents? I wouldn't think so seeing we've had robust implementations in openssl for a long time now.

dfc8y ago

> The Secure Remote Password protocol (SRP) is an augmented password-authenticated key agreement (PAKE) protocol, specifically designed to work around existing patents.[1]

tptacek8y ago

It's not ephemeral Diffie-Hellman.

DorothySimOP8y ago

According to this [0] they are related ("SRP is related to Diffie-Hellman.").

[0]: http://web.archive.org/web/20130407190430/http://chargen.mat...

1 more reply

throwaway2016a8y ago

The part I found interesting was "specifically designed to work around existing patents"

cvwright8y ago

Specifically, Bellovin & Merritt's Encrypted Key Exchange (EKE).

https://en.wikipedia.org/wiki/Encrypted_key_exchange

The patent is expired now though.

j / k navigate · click thread line to collapse

19 comments

tprynn8y ago

If you have to use a PAKE, use a reviewed implementation of SPAKE2. Oh wait, there aren't any. Don't use a PAKE.

tptacek8y ago

A nit: even compared to some recent designs, SRP is pretty thoughtful about offline password cracking. It's not as expensive to crack as a real password hash, but far more expensive than other PAKEs.

tprynn8y ago

I haven't read enough about the other PAKEs to know what offline attacks look like there, but the fact that they are endemic to PAKEs is a total footgun.

2 more replies

motive8y ago

I thought I remembered 1Password using SRP (https://blog.agilebits.com/2015/11/11/how-1password-for-team...).

I admittedly don't know enough about the underlying cryptography to have an educated opinion, but it seems like they put some due diligence into determining it still provided value.

tprynn8y ago

MDrollette8y ago

I'm curious why ProtonMail would have chosen SRP given your comments. https://protonmail.com/blog/encrypted_email_authentication/

tprynn8y ago

technion8y ago

As always, a relevant demonstration:

https://cryptopals.com/sets/5/challenges/37

alfalfasprout8y ago

This sounds like ephemeral diffie hellman. Is that still protected by patents? I wouldn't think so seeing we've had robust implementations in openssl for a long time now.

dfc8y ago

> The Secure Remote Password protocol (SRP) is an augmented password-authenticated key agreement (PAKE) protocol, specifically designed to work around existing patents.[1]

tptacek8y ago

It's not ephemeral Diffie-Hellman.

DorothySimOP8y ago

According to this [0] they are related ("SRP is related to Diffie-Hellman.").

[0]: http://web.archive.org/web/20130407190430/http://chargen.mat...

1 more reply

throwaway2016a8y ago

The part I found interesting was "specifically designed to work around existing patents"

cvwright8y ago

Specifically, Bellovin & Merritt's Encrypted Key Exchange (EKE).

https://en.wikipedia.org/wiki/Encrypted_key_exchange

The patent is expired now though.

j / k navigate · click thread line to collapse