[tptacek]

So for a whole long bunch of messages you have two people talking past each other about how the world uses passwords and the semantics of SSO and then "Is your SRP math constant time with respect to the passwords in use". Zed, seriously? This is making me sad.

Best to make sure your HMAC implementation is constant time with respect to the key, too!

If you think for just a little while, I think you can spot the "semantic" difference between using RSA and SRP in this scenario, and why using one instead of the other would change this system from a curiosity to a danger.

Has it occurred to you that this is the best conversation you've had about AUTHO.ME so far because it appeared authoritative but didn't challenge you at all? Is that what you want? Preening isn't going to make your system better. I'm trying hard to believe that you're better than that.

[zedshaw]

No, it's the best conversation because, unlike conversations with you, it brought legit testable things to test for and questioned basic assumptions I had based on actually looking at the code I'd made. E.g. A timing attack based on password length in SRP is legit. Everything you bring up is just yelling and screaming about browser security issues every login system has, then claiming your proposed login solution doesn't have them.

Even in this comment you're all over the map. HMAC? I'm not using HMAC. RSA vs. SRP? One is an asymmetric cryptography algorithm and the other is a authentication protocol, which are very different. You can't just slap RSA on something and then it's an auth algorithm. There's a whole range of protocol analysis to do in addition to just using RSA.

But why am I telling you that? You're a real cryptographer. How come you didn't mention the possible timing attack against SRP?

[tptacek]

No, Zed. A timing attack based on password length in SRP is not really legitimate.

As you know, I read your code, and I know you're not using HMAC. I'm saying that timing SRP based on passwords is like timing HMAC based on the key: ie, not how a timing attack on SRP would actually work.

I'm going to let someone else chime in and add details to this, because when you and I argue, it just becomes a crazy personality-driven soap opera. I have approximately the same issue with Kaminsky, so don't think that's somehow a criticism of you.

For the record: I'm not a real cryptographer. We do have some on HN. Colin Percival is really a cryptographer; he has been published multiple times in the literature. What I do is get paid to break systems, and I've been on a tear through crypto features in the last couple years. I am a second-rate Nate Lawson. That's all the background needed to sniff-test this Twitter dialog.

[joeyh]

I wonder which order you read the thread in? I read it backwards originally.