[Security] About the Firefox 3 Security Dialog & others

Pedro Melo melo at simplicidade.org
Fri Aug 22 16:58:08 CDT 2008


On Aug 22, 2008, at 9:16 PM, Jonathan Schleifer wrote:

> Am 22.08.2008 um 22:00 schrieb Pedro Melo:
>
>> SAS, I meant SAS.
>
> Just to be sure: What's the exact difference between SRP and SAS? I  
> only had a short look at SRP and it seemed pretty similar.

The references I found:

  * SAS: http://www.ietf.org/internet-drafts/draft-barreto-ietf- 
dhhmac-sas-00.txt;
  * SRP: http://srp.stanford.edu/whatisit.html

If there are better ones, I would appreciate the links.

In the SAS case, it seems that you basically have a 32 bit signature  
to send over an alternative channel. Each person reads that 32bit  
signature to each other and if they match, the key is trusted. Please  
correct me if I'm wrong.

What I like in SAS is that the 32bit key can be coded with words  
using something like this: http://tothink.com/mnemonic/

This generates three words that encode the 32bit number. You can  
check the URL but the choice of the word list was the interesting  
factor for me. It gives you words that are pretty distant from each  
other and over a voice channel less likely to be misinterpreted.

Best regards,
-- 
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!




More information about the Security mailing list