Laszlo Zsolt Nagy <[EMAIL PROTECTED]> writes: > This is a bit offtopic here. I read the RFC and I do not see why SRP > is not vulnerable to dictionary attacks. > If I have a working client software then I can use it to reveal > passwords. Isn't it a dictionary attack?
Dictionary attack in this context means an eavesdropper records a session, then compares all the hashed passwords against a word list offline. If the attacker is allowed to make unlimited online queries, then he can guess at SRP passwords too. But the host should notice that and prevent it. -- http://mail.python.org/mailman/listinfo/python-list
