[Security] About the Firefox 3 Security Dialog & others
melo at simplicidade.org
Fri Aug 22 17:12:55 CDT 2008
On Aug 22, 2008, at 10:58 PM, Pedro Melo wrote:
> On Aug 22, 2008, at 9:16 PM, Jonathan Schleifer wrote:
>> Am 22.08.2008 um 22:00 schrieb Pedro Melo:
>>> SAS, I meant SAS.
>> Just to be sure: What's the exact difference between SRP and SAS?
>> I only had a short look at SRP and it seemed pretty similar.
> The references I found:
> * SAS: http://www.ietf.org/internet-drafts/draft-barreto-ietf-
A better reference for SAS, given our context of TLS, is this:
After doing the protocol you end up with a (minimal) 20bit SAS string.
They recommend (section 5.2.1 Representing the SAS) that we use a
base32 representation. I personally prefer to use the mnemonic
encoder (http://tothink.com/mnemonic/) that gives me a set of three
pronounceable and distant words.
Anyway, I prefer SAS because it simpler than SRP, given that I
usually have an alternative channel (not necessary a secure one). SRP
usually requires physical contact to exchange the secret, and if I'm
with the person I want to authenticate, I might as well compare the
> * SRP: http://srp.stanford.edu/whatisit.html
> If there are better ones, I would appreciate the links.
> In the SAS case, it seems that you basically have a 32 bit
> signature to send over an alternative channel. Each person reads
> that 32bit signature to each other and if they match, the key is
> trusted. Please correct me if I'm wrong.
> What I like in SAS is that the 32bit key can be coded with words
> using something like this: http://tothink.com/mnemonic/
> This generates three words that encode the 32bit number. You can
> check the URL but the choice of the word list was the interesting
> factor for me. It gives you words that are pretty distant from each
> other and over a voice channel less likely to be misinterpreted.
> Best regards,
> Pedro Melo
> Blog: http://www.simplicidade.org/notes/
> XMPP ID: melo at simplicidade.org
> Use XMPP!
XMPP ID: melo at simplicidade.org
More information about the Security