undefined | Better HN

0 pointsprophesi6y ago0 comments

Could you elaborate on that? I'm assuming by "password authenticators" you mean the different hashing algorithms one could employ to securely store passwords.

With SRP, you're protected from replay attacks, and from eavesdropping. You also don't need to trust the server's certificate, which can be a problem with obscure IoT devices.

For icing on the cake, you can do client-side hashing of the password before running it through the protocol so that even if the attacker took over the server, they would have just as difficult of a time running an offline dictionary attack.

The downside for that last part is how underdeveloped the WebCrypto API currently is. You wouldn't be able to use bcrypt or the like without needing a third-party library.

0 pointsprophesi6y ago0 comments

Could you elaborate on that? I'm assuming by "password authenticators" you mean the different hashing algorithms one could employ to securely store passwords.

With SRP, you're protected from replay attacks, and from eavesdropping. You also don't need to trust the server's certificate, which can be a problem with obscure IoT devices.

The downside for that last part is how underdeveloped the WebCrypto API currently is. You wouldn't be able to use bcrypt or the like without needing a third-party library.

0 comments

3 comments · 1 top-level

tptacek6y ago· 2 in thread

TLS provides much the same protection from eavesdropping, and is practically the universal standard today. Modern password hashes are superior to the augmented authenticator form SRP stores. And you cannot simply "replay" a TLS session. In the modern web stack, the only thing SRP actually accomplishes is the authentication of a TLS connection with a password rather than certificates, which is a fringe use case.

PAKEs are interesting in custom protocols; for a recent and valuable example, see Magic Wormhole. But the reason you don't see them everywhere is that they're just not that useful in web applications.

est316y ago

You treat TLS like a silver bullet. Yes, it's common, but so are TLS intercepting CDNs like Cloudflare which can do a passive attack to find out user passwords. Also, if the password never even enters your network, you are safe from any misplaced debug setting that accidentially logs your passwords (happened to facebook).

The only disadvantage from SRP is that you can't do server side stretching which means you are limited by device concerns like battery power for your stretching parameters.

prophesiOP6y ago

From what I've gathered from the discussions & links on here:

Our current solution for password authentication is perfectly fine, unless you distrust your CA's.

SRP itself is a bit of a mess, and has gone through a lot of iterations to fix its faults. OPAQUE is probably your best bet. But implementing the protocol seems like overkill for password auth, and is easy to implement improperly.

Such PAKE's will likely prove to have other good use-cases, however, like magic-wormhole.

1 more reply

j / k navigate · click thread line to collapse