Re: J-PAKE (was Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync)

Sat, 23 Oct 2010 14:45:35 -0700 

Brian Smith wrote:

"Jean-Marc Desperrier" wrote:

Why are you choosing J-PAKE instead of SRP ?

>

The J-PAKE authors claim they developed J-PAKE to avoid patents that
cover other algorithms, and they claim they won't patent it. I don't
know if either claim is true or not.



The reference I gave before shows that there is now a widely accepted 
opinion that SRP does not infringe on patent more than J-PAKE (even if 
there was indeed that doubt a few years ago).



A patent that covers SRP might be found, but it does not appear today to 
be more likely than it is for J-PAKE.



[...]


Balanced vs augmented does not matter for Sync's usage because the
user is at both end points. The end-user is establishing a secure
channel from one of his/her devices to another one of his/her devices
that are in the same location. Also, there is a new PIN (password) for
every transaction.

See https://wiki.mozilla.org/Services/Sync/SyncKey/J-PAKE


If you don't need augmented security, J-PAKE makes more sense.


I'm now reading here 
http://www.mail-archive.com/cryptogra...@metzdowd.com/msg09739.html that 
J-PAKE is *proven* to be no weaker than the algorithms it relies on.
I don't know have exact references but I doubt that version 6 of SRP 
doesn't have an equivalent security proof, given the number of standards 
that rely on it. Wikipedia says "even if one or two of the cryptographic 
primitives it uses are attacked, it is still secure" but doesn't give a 
direct link that shows that (they are reference to it resisting to 
collision attacks on SHA1).



Given the number of protocols that include SRP (SSL/TLS, EAP, SAML), 
given that there's already a proposed patch for NSS (bug 405155, bug 
356855), a proposed patch for openssl ( 
http://rt.openssl.org/Ticket/Display.html?id=1794&user=guest&pass=guest 
), I still think SRP is the better choice since the effort to implement 
it would be much more widely useful than with J-PAKE.



On the long term, I wouldn't be surprised if at some point you'll add 
another scenario where augmented security would be useful, and you will 
in all likehood stay the only users of J-PAKE, I believe SRP will 
certainly end up being included, and it will be a little stupid to have 
2 functionally equivalent algorithms.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to