[gnutls-devel] [RFC] srp: Add resistance against guessing usernames

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Feb 18 13:42:55 CET 2014

On Tue, Feb 18, 2014 at 12:58 AM, Attila Molnar <attilamolnar at hush.com> wrote:
> Hello everyone,
> Currently, gnutls offers protection against attackers that attempt to
> guess valid SRP usernames. This functionality is desirable, but with the
> current implementation it is easy for a client to differentiate between
> valid and invalid usernames.
> The reason for this is that gnutls currently generates a random salt each
> time a user is not found, meaning that if a client attempts to
> authenticate with the same username multiple times and gets a different
> salt every time then it can assume the username is invalid.
> The provided patch aims to fix this by consistently generating the same
> salt for each invalid username based on the username and a secret seed.
> The seed can be set by the application, allowing it to supply a seed that
> it can store and reload later. The length of the generated fake salts can
> also be chosen by the application. The default is 16 bytes - the same as
> in srptool, and the limit is 20 bytes (output size of HMAC-SHA1). This can
> be lifted if necessary; I chose to go with it to keep the patch simple.

Thanks, it's a nice feature. I wonder, whether we can avoid
gnutls_srp_set_server_fake_salt_seed()... I believe most applications
would not use an additional API for that.


More information about the Gnutls-devel mailing list