[Security] channel bindings

Peter Saint-Andre stpeter at stpeter.im
Wed Feb 18 13:07:59 CST 2009


Dirk Meyer wrote:
> Eric Rescorla wrote:
>> I don't have time to write a full note here, but I wanted to observe that
>> the corresponding TLS mechanism to SCRAM is really TLS-PSK,
>> which *is* in OpenSSL. SRP differs from SCRAM and PSK in that
>> an attacker can't dictionary search the password offline, whereas
>> in SCRAM/PSK he can.
> 
> I would like to hear your thoughts on
> http://xmpp.org/extensions/inbox/jingle-xtls.html#sect-id2254294
> 
> I agree with you, for me TLS-SRP looks like a better method than channel
> bindings with SCRAM. Do you know of any post 2002 development of the SRP
> patent issues?

Better in what sense?

What exactly is the password? Are they ephemeral, so that you and I
agree on it in some very temporary way (e.g., we're in the same chatroom
and agree to use the current discussion topic or whatever)? What is the
attack window? If it is small, we might not need to worry about
dictionary searches.

I'm still trying to understand the channel binding magic, but I agree
with Dave that if we settle on SCRAM as the go-forward mandatory to
implement SASL mechanism for the c2s case (as seems likely), then we'll
already have support for it in the clients so re-using it for the e2e
case would be somewhat straightforward.

/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6751 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20090218/365aa6d7/attachment.bin 


More information about the Security mailing list