Secure remote password protocol
Encyclopedia
The Secure Remote Password protocol (SRP) is a password-authenticated key agreement
Password-authenticated key agreement
In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...

 protocol.

Overview

The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...

s mounted by an eavesdropper, and it does not require a trusted third party
Trusted third party
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...

. It effectively conveys a zero-knowledge password proof
Zero-knowledge password proof
In cryptography, a zero-knowledge password proof is an interactive method for one party to prove to another party that it knows a value of a password, without revealing anything other than the fact that it knows that password to the verifier...

 from the user to the server. Only one password can be guessed at per attempt in revision 6 of the protocol. One of the interesting properties of the protocol is that even if one or two of the cryptographic primitives it uses are attacked, it is still secure. The SRP protocol has been revised several times, and is currently at revision six.

The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie–Hellman, then verifies to both parties that the two keys are identical and that both sides have the user's password. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than the alternative SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...

 protocol and faster than using Diffie–Hellman with signed messages. It is also independent of third parties, unlike Kerberos. The SRP protocol, version 3 is described in RFC 2945. SRP version 6 is also used for strong password authentication in SSL/TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

 (in TLS-SRP
TLS-SRP
Transport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....

) and other standards such as EAP
Extensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....

 and SAML
SAML
Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...

, and is being standardized in IEEE P1363
IEEE P1363
IEEE P1363 is an Institute of Electrical and Electronics Engineers standardization project for public-key cryptography. It includes specifications for:* Traditional public-key cryptography...

 and ISO/IEC 11770-4.

Protocol

The following notation is used in this description of the protocol, version 6:
  • q and N = 2q + 1 are chosen such that both are prime (N is a safe prime
    Safe prime
    A safe prime is a prime number of the form 2p + 1, where p is also a prime. The first few safe primes are...

     and q is a Sophie Germain prime
    Sophie Germain prime
    In number theory, a prime number p is a Sophie Germain prime if 2p + 1 is also prime. For example, 23 is a Sophie Germain prime because it is a prime and 2 × 23 + 1 = 47, and 47 is also a prime number...

    ). N must be large enough so that computing discrete logarithms modulo N is infeasible.
  • All arithmetic is performed in the field of integers modulo N, .
  • g is a generator of the multiplicative group.
  • k is a parameter derived by both sides; for example, k = H(N, g).
  • s is a small salt
    Salt (cryptography)
    In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...

    .
  • I is an identifying username.
  • p is the user's password.
  • H is a hash
    Cryptographic hash function
    A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...

     function; e.g., SHA-256.
  • v is the host's password verifier, v = gx, x = H(s,p).
  • u, a and b are random.
  • | denotes concatenation.


All other variables are defined in terms of these.

First, to establish a password p with Steve, Carol picks a small random salt s, and computes x = H(s, p), v = gx. Steve stores v and s, indexed by I, as Carol's password verifier and salt. x is discarded because it is equivalent to the plaintext password p. This step is completed before the system is used.
  1. Carol → Steve: I | A, with A = ga
  2. Steve → Carol: s | B, with B = kv + gb
  3. Both: u = H(A, B)
  4. Carol: SCarol = (B - kgx)(a + ux)
  5. Carol: KCarol = H(SCarol)
  6. Steve: SSteve = (Avu)b
  7. Steve: KSteve = H(SSteve)


Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way is as follows:
  1. Carol → Steve: M1 = H(H(N) XOR H(g) | H(I) | s | A | B | KCarol). Steve verifies M1.
  2. Steve → Carol: M2 = H(A | M1 | KSteve). Carol verifies M2.


This method requires guessing more of the shared state to be successful in impersonation than just the key. While most of the additional state is public, private information could safely be added to the inputs to the hash function, like the server private key. The two parties also employ the following safeguards:
  1. Carol will abort if she receives B

    0 (mod N) or u

    0.
  2. Steve will abort if he receives A 0 (mod N).
  3. Carol must show her proof of K first. If Steve detects that Carol's proof is incorrect, he must abort without showing his own proof of K.

Implementation example in Python

  1. An example SRP-6a authentication
  2. WARNING: Do not use for real cryptographic purposes beyond testing.
  3. based on http://srp.stanford.edu/design.html

import hashlib
import random

def global_print(*names):
x = lambda s: ["%s", "0x%x"][isinstance(s, long)] % s
print "".join("%s = %s\n" % (name, x(globals[name])) for name in names)

def H(*a): # a one-way hash function
return int(hashlib.sha256(str(a)).hexdigest, 16) % N

def cryptrand(n=1024):
return random.SystemRandom.getrandbits(n) % N
  1. A large safe prime (N = 2q+1, where q is prime)
  2. All arithmetic is done modulo N
  3. (generated using "openssl dhparam -text 1024")

N = 00:c0:37:c3:75:88:b4:32:98:87:e6:1c:2d:a3:32:
4b:1b:a4:b8:1a:63:f9:74:8f:ed:2d:8a:41:0c:2f:
c2:1b:12:32:f0:d3:bf:a0:24:27:6c:fd:88:44:81:
97:aa:e4:86:a6:3b:fc:a7:b8:bf:77:54:df:b3:27:
c7:20:1f:6f:d1:7f:d7:fd:74:15:8b:d3:1c:e7:72:
c9:f5:f8:ab:58:45:48:a9:9a:75:9b:5a:2c:05:32:
16:2b:7b:62:18:e8:f1:42:bc:e2:c3:0d:77:84:68:
9a:48:3e:09:5e:70:16:18:43:79:13:a8:c3:9c:3d:
d0:d4:ca:3c:50:0b:88:5f:e3
N = int(.join(N.split).replace(':', ), 16)
g = 2 # A generator modulo N

k = H(N, g) # Multiplier parameter (k=3 in legacy SRP-6)

print "#. H, N, g, and k are known beforehand to both client and server:"
global_print("H", "N", "g", "k")

print "0. server stores (I, s, v) in its password database"
  1. the server must first generate the password verifier

I = "person" # Username
p = "password1234" # Password
s = cryptrand(64) # Salt for the user
x = H(s, p) # Private key
v = pow(g, x, N) # Password verifier
global_print("I", "p", "s", "x", "v")

print "1. client sends username I and public ephemeral value A to the server"
a = cryptrand
A = pow(g, a, N)
global_print("a", "A") # client->server (I, A)

print "2. server sends user's salt s and public ephemeral value B to client"
b = cryptrand
B = (k * v + pow(g, b, N)) % N
global_print("b", "B") # server->client (s, B)

print "3. client and server calculate the random scrambling parameter"
u = H(A, B) # Random scrambling parameter
global_print("u")

print "4. client computes session key"
x = H(s, p)
S_c = pow(B - k * pow(g, x, N), a + u * x, N)
K_c = H(S_c)
global_print("S_c", "K_c")

print "5. server computes session key"
S_s = pow(A * pow(v, u, N), b, N)
K_s = H(S_s)
global_print("S_s", "K_s")

print "6. client sends proof of session key to server"
M_c = H(H(N) ^ H(g), H(I), s, A, B, K_c)
global_print("M_c")
  1. client->server (M_c) ; server verifies M_c


print "7. server sends proof of session key to client"
M_s = H(A, M_c, K_s)
global_print("M_s")
  1. server->client (M_s) ; client verifies M_s


Real world implementations

  • TLS-SRP
    TLS-SRP
    Transport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....

     is a set of ciphersuites for transport layer security
    Transport Layer Security
    Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

     that uses SRP.
  • The Javascript Crypto Library includes a Javascript implementation of the SRP protocol, open source, GPL
    GNU General Public License
    The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....

     licensed. Used in Clipperz online password manager.
  • The Srp-Hermetic Library uses SRP as part of the process to establish a secure AJAX
    Ajax
    - Mythology :* Ajax , son of Telamon, ruler of Salamis and a hero in the Trojan War, also known as "Ajax the Great"* Ajax the Lesser, son of Oileus, ruler of Locris and the leader of the Locrian contingent during the Trojan War.- People :...

     channel. Srp-Hermetic is released under the MIT open source license
    MIT License
    The MIT License is a free software license originating at the Massachusetts Institute of Technology . It is a permissive license, meaning that it permits reuse within proprietary software provided all copies of the licensed software include a copy of the MIT License terms...

    .
  • Gnu Crypto provide a Java
    Java
    Java is an island of Indonesia. With a population of 135 million , it is the world's most populous island, and one of the most densely populated regions in the world. It is home to 60% of Indonesia's population. The Indonesian capital city, Jakarta, is in west Java...

     implementation licensed under the GNU General Public License
    GNU General Public License
    The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....

     with the "library exception", which permits its use as a library in conjunction with non-Free software.
  • The Legion of the Bouncy Castle provides Java and C# implementations under the MIT License
    MIT License
    The MIT License is a free software license originating at the Massachusetts Institute of Technology . It is a permissive license, meaning that it permits reuse within proprietary software provided all copies of the licensed software include a copy of the MIT License terms...

    .
  • Nimbus SRP is a Java library providing a verifier generator, client and server-side sessions. Includes interfaces for custom password key, client and server evidence message routines. No external dependencies. Released under the GNU General Public License
    GNU General Public License
    The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....

     and a proprietary license.
  • srplibcpp is a C++ implement base on MIRACL
    MIRACL (software)
    MIRACL is an arbitrary-precision arithmetic software package developed by Shamus Software. It is often used in encryption and number theory programs. The source code of this library is publicly available and it can be used for free for educational and non-commercial use...

    .
  • csrp is a C implementation depend on OpenSSL
    OpenSSL
    OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...

  • DragonSRP is a C++ modular implementation currently works with OpenSSL
    OpenSSL
    OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...


RFCs

  • RFC 2944 - Telnet Authentication: SRP
  • RFC 2945 - The SRP Authentication and Key Exchange System
  • RFC 3720 - Internet Small Computer Systems Interface (iSCSI)
  • RFC 3723 - Securing Block Storage Protocols over IP
  • RFC 3669 - Guidelines for Working Groups on Intellectual Property Issues
  • RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication

Other links

  • IEEE 1363
  • SRP Intellectual Property Slides
  • Trusted HTTP -- website and wiki about implementing TLS-SRP
    TLS-SRP
    Transport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....

     in libraries (GnuTLS
    GnuTLS
    GnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...

    , OpenSSL
    OpenSSL
    OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...

    , NSS
    NSS
    - Organizations :* Nostalgia Super Stock Nostalgia Super Stock Drag Racing* National Sculpture Society, Established in 1893 to "Spread the knowledge of good sculpture".* Nigerian Student Society, a student society at Universities around the world....

    , Python
    Python (programming language)
    Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...

    ), servers (apache
    Apache
    Apache is the collective term for several culturally related groups of Native Americans in the United States originally from the Southwest United States. These indigenous peoples of North America speak a Southern Athabaskan language, which is related linguistically to the languages of Athabaskan...

    ), and clients (curl
    Curl
    In vector calculus, the curl is a vector operator that describes the infinitesimal rotation of a 3-dimensional vector field. At every point in the field, the curl is represented by a vector...

    , Firefox, Chrome
    Google Chrome
    Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...

    )
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK