1

According to https://security.stackexchange.com/a/2531/5002 TLS-SRP allows one to authenticate a client or server without third-party certificates because it uses a shared secret.

If you're going to require the parties have a shared secret, how is this any better than agreeing on a pair of signed certificates ahead of time and using those to carry out future authentication and encryption?

Gili
  • 2,149
  • 3
  • 23
  • 41

1 Answers1

3

The main advantage of SRP is that it can work over a low-entropy shared secret. Namely, a password. Passwords are not as strong (in general) as, say, RSA private keys, but they can be stored in human brains.

If you use a pair of self-signed certificates, then each party (client and server) will have to store a hash of the peer certificate (that's easy) and also its own private key (that's the hard part). Storing private keys is hard because it makes the storage device highly sensitive, e.g. theft becomes a critical issue. Passwords, on the other hand, can be kept in your mind, which (theoretically) is immune to theft.

TLS-SRP, in that sense, contrasts with TLS-PSK, in which the shared secret must have high entropy (because what travels on the wire allows for offline dictionary attacks). TLS-PSK does not offer any security advantage over self-signed certificates (it may have performance advantages, though: smaller messages, less computations...).

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Good point. I've posted a follow-up question here: http://security.stackexchange.com/q/58718/5002 – Gili May 26 '14 at 02:35