In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...
protocol.
Overview
The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...
In cryptography, a zero-knowledge password proof is an interactive method for one party to prove to another party that it knows a value of a password, without revealing anything other than the fact that it knows that password to the verifier...
from the user to the server. Only one password can be guessed at per attempt in revision 6 of the protocol. One of the interesting properties of the protocol is that even if one or two of the cryptographic primitives it uses are attacked, it is still secure. The SRP protocol has been revised several times, and is currently at revision six.
The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie–Hellman, then verifies to both parties that the two keys are identical and that both sides have the user's password. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than the alternative SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
protocol and faster than using Diffie–Hellman with signed messages. It is also independent of third parties, unlike Kerberos. The SRP protocol, version 3 is described in RFC 2945. SRP version 6 is also used for strong password authentication in SSL/TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
Transport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...
IEEE P1363 is an Institute of Electrical and Electronics Engineers standardization project for public-key cryptography. It includes specifications for:* Traditional public-key cryptography...
and ISO/IEC 11770-4.
Protocol
The following notation is used in this description of the protocol, version 6:
q and N = 2q + 1 are chosen such that both are prime (N is a safe prime
Safe prime
A safe prime is a prime number of the form 2p + 1, where p is also a prime. The first few safe primes are...
In number theory, a prime number p is a Sophie Germain prime if 2p + 1 is also prime. For example, 23 is a Sophie Germain prime because it is a prime and 2 × 23 + 1 = 47, and 47 is also a prime number...
). N must be large enough so that computing discrete logarithms modulo N is infeasible.
All arithmetic is performed in the field of integers modulo N, .
g is a generator of the multiplicative group.
k is a parameter derived by both sides; for example, k = H(N, g).
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
function; e.g., SHA-256.
v is the host's password verifier, v = gx, x = H(s,p).
u, a and b are random.
| denotes concatenation.
All other variables are defined in terms of these.
First, to establish a password p with Steve, Carol picks a small random salt s, and computes x = H(s, p), v = gx. Steve stores v and s, indexed by I, as Carol's password verifier and salt. x is discarded because it is equivalent to the plaintext password p. This step is completed before the system is used.
Carol → Steve: I | A, with A = ga
Steve → Carol: s | B, with B = kv + gb
Both: u = H(A, B)
Carol: SCarol = (B - kgx)(a + ux)
Carol: KCarol = H(SCarol)
Steve: SSteve = (Avu)b
Steve: KSteve = H(SSteve)
Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way is as follows:
Carol → Steve: M1 = H(H(N) XOR H(g) | H(I) | s | A | B | KCarol). Steve verifies M1.
Steve → Carol: M2 = H(A | M1 | KSteve). Carol verifies M2.
This method requires guessing more of the shared state to be successful in impersonation than just the key. While most of the additional state is public, private information could safely be added to the inputs to the hash function, like the server private key. The two parties also employ the following safeguards:
Carol will abort if she receives B
0 (mod N) or u
0.
Steve will abort if he receives A0 (mod N).
Carol must show her proof of K first. If Steve detects that Carol's proof is incorrect, he must abort without showing his own proof of K.
Implementation example in Python
An example SRP-6a authentication
WARNING: Do not use for real cryptographic purposes beyond testing.
based on http://srp.stanford.edu/design.html
import hashlib
import random
def global_print(*names):
x = lambda s: ["%s", "0x%x"][isinstance(s, long)] % s
print "".join("%s = %s\n" % (name, x(globals[name])) for name in names)
def H(*a): # a one-way hash function
return int(hashlib.sha256(str(a)).hexdigest, 16) % N
def cryptrand(n=1024):
return random.SystemRandom.getrandbits(n) % N
A large safe prime (N = 2q+1, where q is prime)
All arithmetic is done modulo N
(generated using "openssl dhparam -text 1024")
N = 00:c0:37:c3:75:88:b4:32:98:87:e6:1c:2d:a3:32:
4b:1b:a4:b8:1a:63:f9:74:8f:ed:2d:8a:41:0c:2f:
c2:1b:12:32:f0:d3:bf:a0:24:27:6c:fd:88:44:81:
97:aa:e4:86:a6:3b:fc:a7:b8:bf:77:54:df:b3:27:
c7:20:1f:6f:d1:7f:d7:fd:74:15:8b:d3:1c:e7:72:
c9:f5:f8:ab:58:45:48:a9:9a:75:9b:5a:2c:05:32:
16:2b:7b:62:18:e8:f1:42:bc:e2:c3:0d:77:84:68:
9a:48:3e:09:5e:70:16:18:43:79:13:a8:c3:9c:3d:
d0:d4:ca:3c:50:0b:88:5f:e3
N = int(.join(N.split).replace(':', ), 16)
g = 2 # A generator modulo N
k = H(N, g) # Multiplier parameter (k=3 in legacy SRP-6)
print "#. H, N, g, and k are known beforehand to both client and server:"
global_print("H", "N", "g", "k")
print "0. server stores (I, s, v) in its password database"
the server must first generate the password verifier
I = "person" # Username
p = "password1234" # Password
s = cryptrand(64) # Salt for the user
x = H(s, p) # Private key
v = pow(g, x, N) # Password verifier
global_print("I", "p", "s", "x", "v")
print "1. client sends username I and public ephemeral value A to the server"
a = cryptrand
A = pow(g, a, N)
global_print("a", "A") # client->server (I, A)
print "2. server sends user's salt s and public ephemeral value B to client"
b = cryptrand
B = (k * v + pow(g, b, N)) % N
global_print("b", "B") # server->client (s, B)
print "3. client and server calculate the random scrambling parameter"
u = H(A, B) # Random scrambling parameter
global_print("u")
print "4. client computes session key"
x = H(s, p)
S_c = pow(B - k * pow(g, x, N), a + u * x, N)
K_c = H(S_c)
global_print("S_c", "K_c")
print "5. server computes session key"
S_s = pow(A * pow(v, u, N), b, N)
K_s = H(S_s)
global_print("S_s", "K_s")
print "6. client sends proof of session key to server"
M_c = H(H(N) ^ H(g), H(I), s, A, B, K_c)
global_print("M_c")
client->server (M_c) ; server verifies M_c
print "7. server sends proof of session key to client"
M_s = H(A, M_c, K_s)
global_print("M_s")
Transport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
- Mythology :* Ajax , son of Telamon, ruler of Salamis and a hero in the Trojan War, also known as "Ajax the Great"* Ajax the Lesser, son of Oileus, ruler of Locris and the leader of the Locrian contingent during the Trojan War.- People :...
The MIT License is a free software license originating at the Massachusetts Institute of Technology . It is a permissive license, meaning that it permits reuse within proprietary software provided all copies of the licensed software include a copy of the MIT License terms...
Java is an island of Indonesia. With a population of 135 million , it is the world's most populous island, and one of the most densely populated regions in the world. It is home to 60% of Indonesia's population. The Indonesian capital city, Jakarta, is in west Java...
The MIT License is a free software license originating at the Massachusetts Institute of Technology . It is a permissive license, meaning that it permits reuse within proprietary software provided all copies of the licensed software include a copy of the MIT License terms...
.
Nimbus SRP is a Java library providing a verifier generator, client and server-side sessions. Includes interfaces for custom password key, client and server evidence message routines. No external dependencies. Released under the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
MIRACL is an arbitrary-precision arithmetic software package developed by Shamus Software. It is often used in encryption and number theory programs. The source code of this library is publicly available and it can be used for free for educational and non-commercial use...
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
DragonSRP is a C++ modular implementation currently works with OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
RFCs
RFC 2944 - Telnet Authentication: SRP
RFC 2945 - The SRP Authentication and Key Exchange System
RFC 3720 - Internet Small Computer Systems Interface (iSCSI)
RFC 3723 - Securing Block Storage Protocols over IP
RFC 3669 - Guidelines for Working Groups on Intellectual Property Issues
RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication
Transport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....
GnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
- Organizations :* Nostalgia Super Stock Nostalgia Super Stock Drag Racing* National Sculpture Society, Established in 1893 to "Spread the knowledge of good sculpture".* Nigerian Student Society, a student society at Universities around the world....
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
Apache is the collective term for several culturally related groups of Native Americans in the United States originally from the Southwest United States. These indigenous peoples of North America speak a Southern Athabaskan language, which is related linguistically to the languages of Athabaskan...
In vector calculus, the curl is a vector operator that describes the infinitesimal rotation of a 3-dimensional vector field. At every point in the field, the curl is represented by a vector...
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
)
The source of this article is wikipedia, the free encyclopedia. The text of this article is licensed under the GFDL.
.