* Heikki Linnakangas (hlinnaka@iki.fi) wrote:
> The big difference between SRP and SCRAM is that if you eavesdrop
> the SCRAM handshake, you can use that information to launch a
> brute-force or dictionary attack. With SRP, you cannot do that. That
> makes it relatively safe to use weak passwords with SRP, which is
> not the case with SCRAM (nor MD5)
Thanks for the info!
Looking around a bit, one issue with SRP (as pointed out by Simon
Josefsson, the author of the SCRAM implementation for GNU SASL) is that
the username is included in the verifier (similar to our implementation
today with MD5) meaning that the stored data on the server is no longer
valid if the username is changed. Obviously, our users are used to
that, but it's still something to be considered.
One question though- isn't the iteration option to SCRAM intended to
address the dictionary/brute force risk? SRP uses an exponentiation
instead of iterations but it's unclear to me if one is really strictly
better or worse than the other (nor have I found any discussion of that
comparison) for this vector.
Thanks!
Stephen