Re: authentication (SRP*, DH, TLS)




gmu2006@xxxxxxxxx wrote:
Introduction:
I'm working on a commercial product which was ported from
win32 to GNU/Linux. While doing so we have used TCP/IP
sockets instead of Named Pipes for IPC. By doing so
we've lost the big advantage of having DACLs set on the
named pipes that prevent unauthorized access to the
services.
Now I'm trying to recreate that with the tcp sockets version.
Because of the performance hit we can't use TLS which
checks client+server certificates for preventing MITM.

After evaluating the possibilities I've come to the conclusion
that SRP-6 could be a possible solution.

What I'm trying to find out is:
* is SRP-6 really MITM proof
* how do I prevent using SRP-Z mode which requires royalties
* are there any better implementations than Tom Wu's default
one which when fed to modern compilers like VC8 requires
too much massaging to be compilable and warning-free. I've
not even tried gcc-4.x yet.
* is it legal to use libsrp with the embedded 1996 copy of
getopt.[c,h] which says it is licensed
"GNU Library General Public License" under. actually I'm
not sure (I'll assume this is LGPL) this is legal as LGPL
defines linking against the lib only AFAIK

I wrote a Secure Remote Password SRP-6 sample implementation in C and
posted the results on my web page: www.geocities.com/malbrain.

I don't know if Standford University is still pursuing licenses for
SRP-6. karl m

.