Highest Voted 'srp' Questions - IT Security Stack Exchange

1

vote

1 answer

What's the advantage of TLS-SRP over self-signed certificates?

According to https://security.stackexchange.com/a/2531/5002 TLS-SRP allows one to authenticate a client or server without third-party certificates because it uses a shared secret. If you're going to require the parties have a shared secret, how is…

tls srp

asked May 25 '14 at 05:28

Gili

2,149
3
23
41

1

vote

1 answer

Hardening an old SRP3 protocol setup

This is the situation: client-server login is done via SRP3, hash used is single SHA1. Client cannot be modified but server can (open source). Because of this, all hashed passwords in the database are only SHA1. Server got hacked several times…

srp

asked Jun 28 '13 at 17:40

cen

275
1
3
8

1

vote

1 answer

PAKE - What to do when a weakness is found?

In the case of a password hashing function like Argon2, I know that when a weakness is found, you use another password hashing function, wrap it around the existing hashes and calculate the hash of the password directly when the user logs in…

password-cracking srp

asked Jun 17 '21 at 08:01

Gamer2015

707
4
12

1

vote

1 answer

How do SRP (and PAKE generally) protect against verifier leak

I have been reading into PAKE protocols, specifically starting with SRP RFC2945 The gist of the requirement on the server is that the server saves triplet (username, verifier (v), salt (s)) in the credentials table. Where verifier v = g^x % N (the ^…

authentication sql-injection key-exchange srp

asked May 20 '20 at 19:29

Ali

125
4

1

vote

1 answer

There is a recommanded solution to protect SRP verifier to be used if the DB is leaked?

We working on a new website we would like to use SRP protocol. So the salt and verifier are sent to the server, and in theory the server store them like that in a database. If the DB is leaked, attacker could surely brute-force a user password and…

account-security rootkits srp

asked Oct 29 '17 at 19:27

lakano

155
8

1

vote

1 answer

SRP cipher suite

From this I understand that SRP is an algorithm that performs authentication and key exchange between a client and a server. Consider two cipher suites like the following two, which algorithm would be used for key exchange in the second one, SRP or…

tls srp

asked Aug 13 '17 at 11:56

Neofytos Frangos

13
4

1

vote

0 answers

SRP and compromised verifier

Let's assume that attacker knows verifier, so now he can commit MitM attack. 1) Client sends A to Server 2) MITM takes it and sends B to client While MITM knows the verifier, he also can compute the secret key. So every message from client…

man-in-the-middle srp

asked Mar 14 '17 at 17:49

Tony

111
1

0

votes

0 answers

SRP authentication in an Android app over REST

I'm currently trying to come up with an authentication process for an Android app, that talks with web backend using REST. At the moment the communication is secured by TLS (with cert pinning) and auth tokens - former makes the client trust the…

authentication android srp

asked Aug 30 '22 at 15:08

barti90

1

0

votes

1 answer

Implementing SRP without storing the salt anywhere

I am attempting to use SRP to verify clients when they authenticate with a webserver, so that the password is never sent over the wire. Looking at the SRP procedure, when a client registers with the server it sends v (verifier), s (salt), and I (the…

authentication web-application password-management salt srp

asked Nov 27 '18 at 01:10

ExecutionByFork

437
3
7

Questions tagged [srp]