reconsider SRP, it's way cool

Adam M. Costello amc at cs.berkeley.edu
Thu Mar 30 10:59:34 EST 2000


I just joined the list, and I see in the archives that about a month ago
there was a brief discussion of SRP, but it was dismissed.

I urge people to take a look at this site:

http://srp.stanford.edu/srp/

It's very cool.

Let's say I'm on vacation visiting a friend, and I want to log in to
my account back home.  I trust my friend's machine, but I don't have
my home machine's public key, nor my personal keys, and there's no
secure way for me to get them.  If I try to use ssh with password
authentication, a man in the middle can get my password.  Ssh is a
wonderful tool that solves almost all my security problems, except for
this one, and it's a fairly common one.

With SRP, all I need to know is my password, and the two machines
can mutually authenticate each other with no risk of a man in the
middle learning anything.  If this technique had existed when ssh was
originally written, it surely would have been used.

I think SRP would be a valuable addition to the ssh protocol, but where
should that discussion should take place?  Are there still people
working on standardizing the ssh protocol?

It's tricky because ssh and SRP use different models of session
establishment: ssh first authenticates the server using a public key,
then chooses a session key, then authenticates the client using any of a
number of methods.  SRP first mutually authenticates both the server and
client using only a password, and a session key falls out.

One idea is to have a mode where ssh provisionally accepts an unknown
host key, but doesn't write it to known_hosts unless SRP is subsequently
used successfully.  The key that falls out of SRP could be used to
change the session key, but I'm not sure that's necessary.

AMC





More information about the openssh-unix-dev mailing list