On Thu, Jun 5, 2008 at 12:51 PM, Tim Starling <tstarling(a)wikimedia.org> wrote:
Well, I did consider it, back in 2003, the tradeoff of
course is speed.
Because we're working in PHP, an attacker could do the same operation
several times faster than we could, using C/C++. Serving web pages is
meant to be fast, with lots of concurrent requests, and there might be a
need to do batch operations. There's probably an argument for stretching
it out to a few milliseconds, but with 65000 iterations I get 130ms on
zwinger which is probably going a bit too far.
While you are taking requests:
JS SRP please:
http://code.google.com/p/clipperz/source/browse/trunk/crypto.library/src/js…
(
http://en.wikipedia.org/wiki/Secure_remote_password_protocol)
:)