Re: SRP + 3DES - secure enough?



"Rob Y." <ryampolsky@xxxxxxxxx> wrote in message news:7b323d77-a502-4d25-8495-cacf6c57f3dc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The process of producing the session keys via SRP will be enough to encrypt
the data in 3DES. It will not be feasible to recover the keys given only
cipher text from the handshakes.


Thanks. I figured that must be the case, but it's nice to hear it
stated so definitively.

So what about 3DES produces that security? Does it not use all of the
SRP-generated session key as a hash? Does it use some of the session
key to provide randomness in the 3DES algorithm itself?

You can read the wikipedia description of DES for more information on how the session key is used to produce the pseudo-random cipher-text from the plain-text. THe process of deriving the 3DES key from the SRP handshake should deliver 168 bits of random material, and that would be a result of your implementation. Is there any reason you are not using AES-128?

karl m

.