[Security] About the Firefox 3 Security Dialog & others

Eric Rescorla ekr at rtfm.com
Fri Aug 22 17:23:51 CDT 2008


On Fri, Aug 22, 2008 at 3:12 PM, Pedro Melo <melo at simplicidade.org> wrote:
> Hi again,
>
> On Aug 22, 2008, at 10:58 PM, Pedro Melo wrote:
>>
>> On Aug 22, 2008, at 9:16 PM, Jonathan Schleifer wrote:
>>
>>> Am 22.08.2008 um 22:00 schrieb Pedro Melo:
>>>
>>>> SAS, I meant SAS.
>>>
>>> Just to be sure: What's the exact difference between SRP and SAS? I only
>>> had a short look at SRP and it seemed pretty similar.
>>
>> The references I found:
>>
>>  * SAS:
>> http://www.ietf.org/internet-drafts/draft-barreto-ietf-dhhmac-sas-00.txt;
>
> A better reference for SAS, given our context of TLS, is this:
>
> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-mcgrew-tls-sas.txt
>
> After doing the protocol you end up with a (minimal) 20bit SAS string.
>
> They recommend (section 5.2.1 Representing the SAS) that we use a base32
> representation. I personally prefer to use the mnemonic encoder
> (http://tothink.com/mnemonic/) that gives me a set of three pronounceable
> and distant words.
>
> Anyway, I prefer SAS because it simpler than SRP, given that I usually have
> an alternative channel (not necessary a secure one). SRP usually requires
> physical contact to exchange the secret, and if I'm with the person I want
> to authenticate, I might as well compare the full signature...

In what was is it simpler than SRP? Both require a secure alternative channel
for at least some value of secure.

SAS requires an integrity protected side channel. SRP requires a confidential
and integrity protected side channel, though the confidentiality window can
be made arbitrarily short by doing the password exchange right before the
handshake.

-Ekr


More information about the Security mailing list