From owner-freebsd-security  Thu Jul  8  8:46:35 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
	by hub.freebsd.org (Postfix) with ESMTP id 69921154F5
	for <security@freebsd.org>; Thu,  8 Jul 1999 08:46:31 -0700 (PDT)
	(envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id RAA11136;
	Thu, 8 Jul 1999 17:46:31 +0200 (CEST)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id RAA51572;
	Thu, 8 Jul 1999 17:46:23 +0200 (MET DST)
Date: Thu, 8 Jul 1999 17:46:23 +0200
From: Eivind Eklund <eivind@freebsd.org>
To: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
Cc: Peter Wemm <peter@netplex.com.au>, security@freebsd.org
Subject: Re: Improved libcrypt ready for testing
Message-ID: <19990708174622.B50609@bitbox.follo.net>
References: <19990708111429.E46370@bitbox.follo.net> <Pine.OSF.4.10.9907082253220.14192-100000@bragg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <Pine.OSF.4.10.9907082253220.14192-100000@bragg>; from Kris Kennaway on Thu, Jul 08, 1999 at 11:13:53PM +0930
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jul 08, 1999 at 11:13:53PM +0930, Kris Kennaway wrote:
> On Thu, 8 Jul 1999, Eivind Eklund wrote:
> > Kris Kennaway wrote:
> > > I have the SRP reference implementation working at home - it
> > > requires changes to clients, though.
> > 
> > Does it require changes to clients in order to be used as a normal
> > password hash, not to do challenges against?  I can't remember
> > anything about it that would force that?
> 
> SRP stores a salt and "verifier" (essentially just the hash of the password
> taken as an exponent of a large integer modulo another large integer)
> 
> As an interim measure, this could be used as just another hash
> algorithm like any other which is queried by cleartext passwords,
> but obviously you wouldn't want to be querying some services using
> SRP and others using the plaintext of the same password.

I disagree.  In my opinion, you would obviously want to - to give a
simple example, I'm willing to type my plaintext password at a login
prompt, but I'm not willing to transfer it in the clear using POP3.

> I should have time this weekend to knock this up together with some
> of the changes discussed so far in this thread.
> 
> The simplest way to SRP-ify an application is probably to make both
> client and server talk PAM and use the pam_srp module (which I
> haven't checked out yet).

This is the next step after actually having the SRP password hashes in
the database in the first place :)

Eivind.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message