Secure remote password protocol
Encyclopedia
The Secure Remote Password protocol (SRP) is a password-authenticated key agreement
protocol.
s mounted by an eavesdropper, and it does not require a trusted third party
. It effectively conveys a zero-knowledge password proof
from the user to the server. Only one password can be guessed at per attempt in revision 6 of the protocol. One of the interesting properties of the protocol is that even if one or two of the cryptographic primitives it uses are attacked, it is still secure. The SRP protocol has been revised several times, and is currently at revision six.
The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie–Hellman, then verifies to both parties that the two keys are identical and that both sides have the user's password. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than the alternative SSH
protocol and faster than using Diffie–Hellman with signed messages. It is also independent of third parties, unlike Kerberos. The SRP protocol, version 3 is described in RFC 2945. SRP version 6 is also used for strong password authentication in SSL/TLS
(in TLS-SRP
) and other standards such as EAP
and SAML
, and is being standardized in IEEE P1363
and ISO/IEC 11770-4.
All other variables are defined in terms of these.
First, to establish a password p with Steve, Carol picks a small random salt s, and computes x = H(s, p), v = gx. Steve stores v and s, indexed by I, as Carol's password verifier and salt. x is discarded because it is equivalent to the plaintext password p. This step is completed before the system is used.
Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way is as follows:
This method requires guessing more of the shared state to be successful in impersonation than just the key. While most of the additional state is public, private information could safely be added to the inputs to the hash function, like the server private key. The two parties also employ the following safeguards:
Password-authenticated key agreement
In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...
protocol.
Overview
The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attackDictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s mounted by an eavesdropper, and it does not require a trusted third party
Trusted third party
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...
. It effectively conveys a zero-knowledge password proof
Zero-knowledge password proof
In cryptography, a zero-knowledge password proof is an interactive method for one party to prove to another party that it knows a value of a password, without revealing anything other than the fact that it knows that password to the verifier...
from the user to the server. Only one password can be guessed at per attempt in revision 6 of the protocol. One of the interesting properties of the protocol is that even if one or two of the cryptographic primitives it uses are attacked, it is still secure. The SRP protocol has been revised several times, and is currently at revision six.
The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie–Hellman, then verifies to both parties that the two keys are identical and that both sides have the user's password. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than the alternative SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
protocol and faster than using Diffie–Hellman with signed messages. It is also independent of third parties, unlike Kerberos. The SRP protocol, version 3 is described in RFC 2945. SRP version 6 is also used for strong password authentication in SSL/TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(in TLS-SRP
TLS-SRP
Transport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....
) and other standards such as EAP
Extensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
and SAML
SAML
Security Assertion Markup Language is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider...
, and is being standardized in IEEE P1363
IEEE P1363
IEEE P1363 is an Institute of Electrical and Electronics Engineers standardization project for public-key cryptography. It includes specifications for:* Traditional public-key cryptography...
and ISO/IEC 11770-4.
Protocol
The following notation is used in this description of the protocol, version 6:- q and N = 2q + 1 are chosen such that both are prime (N is a safe primeSafe primeA safe prime is a prime number of the form 2p + 1, where p is also a prime. The first few safe primes are...
and q is a Sophie Germain primeSophie Germain primeIn number theory, a prime number p is a Sophie Germain prime if 2p + 1 is also prime. For example, 23 is a Sophie Germain prime because it is a prime and 2 × 23 + 1 = 47, and 47 is also a prime number...
). N must be large enough so that computing discrete logarithms modulo N is infeasible. - All arithmetic is performed in the field of integers modulo N, .
- g is a generator of the multiplicative group.
- k is a parameter derived by both sides; for example, k = H(N, g).
- s is a small saltSalt (cryptography)In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
. - I is an identifying username.
- p is the user's password.
- H is a hashCryptographic hash functionA cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
function; e.g., SHA-256. - v is the host's password verifier, v = gx, x = H(s,p).
- u, a and b are random.
- | denotes concatenation.
All other variables are defined in terms of these.
First, to establish a password p with Steve, Carol picks a small random salt s, and computes x = H(s, p), v = gx. Steve stores v and s, indexed by I, as Carol's password verifier and salt. x is discarded because it is equivalent to the plaintext password p. This step is completed before the system is used.
- Carol → Steve: I | A, with A = ga
- Steve → Carol: s | B, with B = kv + gb
- Both: u = H(A, B)
- Carol: SCarol = (B - kgx)(a + ux)
- Carol: KCarol = H(SCarol)
- Steve: SSteve = (Avu)b
- Steve: KSteve = H(SSteve)
Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way is as follows:
- Carol → Steve: M1 = H(H(N) XOR H(g) | H(I) | s | A | B | KCarol). Steve verifies M1.
- Steve → Carol: M2 = H(A | M1 | KSteve). Carol verifies M2.
This method requires guessing more of the shared state to be successful in impersonation than just the key. While most of the additional state is public, private information could safely be added to the inputs to the hash function, like the server private key. The two parties also employ the following safeguards:
- Carol will abort if she receives B
0 (mod N) or u
0. - Steve will abort if he receives A 0 (mod N).
- Carol must show her proof of K first. If Steve detects that Carol's proof is incorrect, he must abort without showing his own proof of K.
Implementation example in Python
Real world implementations
- TLS-SRPTLS-SRPTransport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....
is a set of ciphersuites for transport layer securityTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
that uses SRP. - The Javascript Crypto Library includes a Javascript implementation of the SRP protocol, open source, GPLGNU General Public LicenseThe GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
licensed. Used in Clipperz online password manager. - The Srp-Hermetic Library uses SRP as part of the process to establish a secure AJAXAjax- Mythology :* Ajax , son of Telamon, ruler of Salamis and a hero in the Trojan War, also known as "Ajax the Great"* Ajax the Lesser, son of Oileus, ruler of Locris and the leader of the Locrian contingent during the Trojan War.- People :...
channel. Srp-Hermetic is released under the MIT open source licenseMIT LicenseThe MIT License is a free software license originating at the Massachusetts Institute of Technology . It is a permissive license, meaning that it permits reuse within proprietary software provided all copies of the licensed software include a copy of the MIT License terms...
. - Gnu Crypto provide a JavaJavaJava is an island of Indonesia. With a population of 135 million , it is the world's most populous island, and one of the most densely populated regions in the world. It is home to 60% of Indonesia's population. The Indonesian capital city, Jakarta, is in west Java...
implementation licensed under the GNU General Public LicenseGNU General Public LicenseThe GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
with the "library exception", which permits its use as a library in conjunction with non-Free software. - The Legion of the Bouncy Castle provides Java and C# implementations under the MIT LicenseMIT LicenseThe MIT License is a free software license originating at the Massachusetts Institute of Technology . It is a permissive license, meaning that it permits reuse within proprietary software provided all copies of the licensed software include a copy of the MIT License terms...
. - Nimbus SRP is a Java library providing a verifier generator, client and server-side sessions. Includes interfaces for custom password key, client and server evidence message routines. No external dependencies. Released under the GNU General Public LicenseGNU General Public LicenseThe GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
and a proprietary license. - srplibcpp is a C++ implement base on MIRACLMIRACL (software)MIRACL is an arbitrary-precision arithmetic software package developed by Shamus Software. It is often used in encryption and number theory programs. The source code of this library is publicly available and it can be used for free for educational and non-commercial use...
. - csrp is a C implementation depend on OpenSSLOpenSSLOpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
- DragonSRP is a C++ modular implementation currently works with OpenSSLOpenSSLOpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
RFCs
- RFC 2944 - Telnet Authentication: SRP
- RFC 2945 - The SRP Authentication and Key Exchange System
- RFC 3720 - Internet Small Computer Systems Interface (iSCSI)
- RFC 3723 - Securing Block Storage Protocols over IP
- RFC 3669 - Guidelines for Working Groups on Intellectual Property Issues
- RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication
Other links
- IEEE 1363
- SRP Intellectual Property Slides
- Trusted HTTP -- website and wiki about implementing TLS-SRPTLS-SRPTransport layer security Secure Remote Password ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange....
in libraries (GnuTLSGnuTLSGnuTLS , the GNU Transport Layer Security Library, is a free software implementation of the SSL and TLS protocols. Its purpose is to offer an application programming interface for applications to enable secure communication protocols over their network transport layer.-Features:GnuTLS consists of...
, OpenSSLOpenSSLOpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
, NSSNSS- Organizations :* Nostalgia Super Stock Nostalgia Super Stock Drag Racing* National Sculpture Society, Established in 1893 to "Spread the knowledge of good sculpture".* Nigerian Student Society, a student society at Universities around the world....
, PythonPython (programming language)Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
), servers (apacheApacheApache is the collective term for several culturally related groups of Native Americans in the United States originally from the Southwest United States. These indigenous peoples of North America speak a Southern Athabaskan language, which is related linguistically to the languages of Athabaskan...
), and clients (curlCurlIn vector calculus, the curl is a vector operator that describes the infinitesimal rotation of a 3-dimensional vector field. At every point in the field, the curl is represented by a vector...
, Firefox, ChromeGoogle ChromeGoogle Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
)