Philipp von Weitershausen wrote:
Not sure how generic the signature of the zero knowledge proof we use
in J-PAKE is. Compatibility with the implementation found in OpenSSL
is important for us right now
Hi,
Why are you choosing J-PAKE instead of SRP ?
Looking for an assessment of J-PAKE against SRP, I found the following
that make me worried that choice's a mistake.
http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/#comment-5990
The JPAKE in OpenSSH is unfinished and I don’t recommend enabling it
[...] When writing it, I came up with a hacky solution to the cleartext
password storage problem [...]
http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/#comment-5993
“Balanced” is symmetric and requires both sides to hold the same
authenticator (e.g., a plaintext password). “Augmented” has the
additional property that compromise of the server does not yield the key
necessary to impersonate the client
JPAKE and SPEKE are balanced schemes and thus have the same problem as
Clench. However, SRP does not. SRP is an augmented scheme
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
