On Thu, Jun 5, 2008 at 12:51 PM, Tim Starling tstarling@wikimedia.org wrote:
Well, I did consider it, back in 2003, the tradeoff of course is speed. Because we're working in PHP, an attacker could do the same operation several times faster than we could, using C/C++. Serving web pages is meant to be fast, with lots of concurrent requests, and there might be a need to do batch operations. There's probably an argument for stretching it out to a few milliseconds, but with 65000 iterations I get 130ms on zwinger which is probably going a bit too far.
While you are taking requests:
JS SRP please: http://code.google.com/p/clipperz/source/browse/trunk/crypto.library/src/js/...
(http://en.wikipedia.org/wiki/Secure_remote_password_protocol)
:)