[tprynn]

While this is interesting historical reading, SRP is badly outdated and should not be used for any newly built systems. It has a lot of non-obvious failure modes around parameter handling and offline password cracking that have broken the authentication mechanism in every implementation I've seen in the real world (new implementations, not when using large packages such as OpenSSL).

Furthermore, PAKEs are of relatively limited utility; in almost every situation you could use a PAKE, there is a better, more battle-tested alternative. You will be much less likely to have complete authentication bypass in your system if you use mutual TLS rather than a PAKE.

If you have to use a PAKE, use a reviewed implementation of SPAKE2. Oh wait, there aren't any. Don't use a PAKE.

[tptacek]

A nit: even compared to some recent designs, SRP is pretty thoughtful about offline password cracking. It's not as expensive to crack as a real password hash, but far more expensive than other PAKEs.

[tprynn]

I haven't read enough about the other PAKEs to know what offline attacks look like there, but the fact that they are endemic to PAKEs is a total footgun.

For example, one implementation of SRP I looked at used 8-digit codes (e.g. 12345678) to connect new devices to a network. Eight digits was enough to prevent brute-forcing by repeatedly sending codes to the server, but not enough to prevent an attacker from MITMing the connection and brute-forcing the code offline, because the server was using a bad RNG.

[tptacek]

Wait, what's the brute-force attack you're contemplating here? I'm thinking of the attack where you've compromised the servers and stolen the verifiers.

[tprynn]

Looking back at my notes, I think my earlier comment was misleading. The offline brute force was due to an insecure random number generator, which allowed an attack against B to recover b (and from there crack the 8 digit code). So, uh, ... I'm wrong on the internet. I think we've talked about this attack before actually :P

[tptacek]

Ok, that makes more sense! There are some pretty huge systems that would be very, very broken if the attack you accidentally described was viable. :)

I agree with you that SRP is worth avoiding.

[nly]

SRP completely prevents passive MITM attacks and requires online active attack (real time impersonation of either or both parties during the handshake), and even then you can't do anything if the real server and client impose their own rate limiting

[motive]

I thought I remembered 1Password using SRP (https://blog.agilebits.com/2015/11/11/how-1password-for-team...).

I admittedly don't know enough about the underlying cryptography to have an educated opinion, but it seems like they put some due diligence into determining it still provided value.

[tprynn]

1Password uses TLS, and SRP inside TLS. If TLS is broken as in Cloudbleed, SRP hopefully still protects the channel - at least against non-active attacks such as Cloudbleed. The security still ultimately relies on TLS. Having not read the document fully, I think those would be against initial registration or in an active MITM allowing password-guessing. I'm looking at page 52 of https://1password.com/teams/white-paper/1Password%20for%20Te....

[MDrollette]

I'm curious why ProtonMail would have chosen SRP given your comments. https://protonmail.com/blog/encrypted_email_authentication/

[tprynn]

I don't think you'll find many people in the security industry who think ProtonMail is anything but a joke. I'll leave you with this (written by 'tptacek): https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

[technion]

As always, a relevant demonstration:

https://cryptopals.com/sets/5/challenges/37