[gnutls-devel] [PATCH] srp: Add resistance against guessing usernames

Attila Molnar attilamolnar at hush.com
Wed Feb 19 00:04:23 CET 2014

On Tue, Feb 18, 2014 at 7:52 PM, "Nikos Mavrogiannopoulos" <nmav at gnutls.org> wrote:
>>  	entry->v.data = gnutls_malloc(20);
>>  	entry->v.size = 20;

The verifier is always 20 bytes long regardless of the salt or
the seed.

>> +	_gnutls_set_datum(&cred->fake_salt_seed, seed->data, seed-
>> +	cred->fake_salt_length = (salt_length < 20 ? salt_length : 20);

The 20 in this case refers to the output size of the hmac and is
always the same unless hmac-sha1 is changed to something
else with a different output size.

Changing DEFAULT_FAKE_SALT_SEED_SIZE means changing the size
of the default (random) seed that is generated for each srp server
credentials upon allocation (which is used unless the program provides
its own seed using gnutls_srp_set_server_fake_salt_seed()).
If this is changed for some reason, we would still allow for the
application to request up to 20 byte long fake salts because the
hmac output size would stay the same regardless.

Want me to change it anyway, or introduce a new #define for this?

On a related note, we could allow applications to request longer
fake salts than the output size of the hmac if we wanted to by
doing more hashing:
_gnutls_mac(&ctx, "salt", 4);
This constant part can be modified and the operation repeated
to generate arbitrarily long fake salts.



Regards, Attila

More information about the Gnutls-devel mailing list