Secure Remote Password protocol – Wikipedia

Augmented password-authenticated key substitute protocol
The Secure Remote Password protocol ( SRP ) is an augment password-authenticated samara rally ( PAKE ) protocol, specifically designed to work around existing patents. [ 1 ] Like all PAKE protocols, an eavesdropper or man in the middle can not obtain enough information to be able to brute-force guess a password or apply a dictionary attack without farther interactions with the parties for each think. furthermore, being an augmented PAKE protocol, the waiter does not store password-equivalent data. [ 2 ] This means that an attacker who steals the server data can not masquerade as the node unless they first perform a beastly force search for the password. In layman ‘s terms, during SRP ( or any early PAKE protocol ) authentication, one party ( the “ node ” or “ user ” ) demonstrates to another party ( the “ waiter ” ) that they know the password, without sending the password itself nor any other information from which the password can be derived. The password never leaves the client and is nameless to the server.

furthermore, the waiter besides needs to know about the password ( but not the password itself ) in holy order to instigate the guarantee connection. This means that the waiter besides authenticates itself to the client which prevents phishing without reliance on the user parsing complex URLs. Newer alternative algorithm include AuCPace [ 3 ] and OPAQUE [ 4 ] [ 5 ]

overview [edit ]

The SRP protocol has a number of desirable properties : it allows a exploiter to authenticate themselves to a server, it is repellent to dictionary attacks mounted by an eavesdropper, and it does not require a trust third party. It efficaciously conveys a zero-knowledge password proof from the user to the server. In revision 6 of the protocol merely one password can be guessed per connection undertake. One of the matter to properties of the protocol is that even if one or two of the cryptanalytic primitives it uses are attacked, it is still impregnable. The SRP protocol has been revised several times, and is presently at revision 6a. The SRP protocol creates a big individual key shared between the two parties in a manner similar to Diffie–Hellman key substitution based on the client side having the drug user password and the server side having a cryptanalytic voucher derived from the password. The shared public key is derived from two random numbers, one generated by the node, and the other generated by the server, which are unique to the login try. In cases where encrypted communications a well as authentication are required, the SRP protocol is more secure than the alternative SSH protocol and faster than using Diffie–Hellman key substitute with sign messages. It is besides autonomous of third parties, unlike Kerberos. The SRP protocol, translation 3 is described in RFC 2945. SRP version 6 is besides used for strong password authentication in SSL/TLS [ 6 ] ( in TLS-SRP ) and other standards such as EAP [ 7 ] and SAML, and is being standardized in IEEE P1363 and ISO/IEC 11770-4 .

protocol [edit ]

The follow notation is used in this description of the protocol, translation 6 :
All other variables are defined in terms of these. first, to establish a password p with server Steve, client Carol picks a little random salt s, and computes x = H ( s, p ), v = g x. Steve stores v and s, indexed by I, as Carol ‘s password voucher and salt. Carol must not contribution x with anybody, and must safely erase it at this step, because it is equivalent to the plaintext password p. This gradation is completed before the system is used as function of the user registration with Steve. note that the salt s is shared and exchanged to negotiate a session key late so the rate could be chosen by either english but is done by Carol so that she can register I, s and v in a individual registration request. The transmittance and authentication of the adjustment request is not covered in SRP. then to perform a proof of password at a late date the following commute protocol occurs :

  1. Carol → Steve: generate random value a; send I and A = ga
  2. Steve → Carol: generate random value b; send s and B = kv + gb
  3. Both: u = H(A, B)
  4. Carol: SCarol = (Bkgx)(a + ux) = (kv + gb − kgx)(a + ux) = (kgx − kgx + gb)(a + ux) = (gb)(a + ux)
  5. Carol: KCarol = H(SCarol)
  6. Steve: SSteve = (Avu)b = (gavu)b = [ga(gx)u]b = (ga + ux)b = (gb)(a + ux)
  7. Steve: KSteve = H(SSteve) = KCarol

now the two parties have a shared, impregnable session key K. To complete authentication, they need to prove to each other that their keys match. One possible way is as follows :

  1. Carol → Steve: M1 = H[H(N) XOR H(g) | H(I) | s | A | B | KCarol] ) | ) |M1.
  2. Steve → Carol: M 2 = H ( A | M 1 | K Steve ). Carol verifies M2.

This method requires guessing more of the shared department of state to be successful in imposture than just the key. While most of the extra state is public, individual data could safely be added to the inputs to the hash function, like the server secret key. [ clarification needed ] alternatively, in a password-only proof the calculation of K can be skipped and the shared S prove with :

  1. Carol → Steve: M 1 = H ( A | B | S Carol ). Steve verifies M1.
  2. Steve → Carol: M 2 = H ( A | M 1 | S Steve ). Carol verifies M2.

When using SRP to negotiate a shared samara K which will be immediately used after the negotiation the confirmation steps of M 1 and M 2 may be skipped. The server will reject the very beginning request from the node which it can not decrypt. Skipping the verification steps can be dangerous. [ citation needed ] The two parties besides employ the follow safeguards :

  1. Carol will abort if she receives B = 0 (mod N) or u = 0.
  2. Steve will abort if he receives A (mod N) = 0.
  3. Carol must show her proof of K (or S) first. If Steve detects that Carol’s proof is incorrect, he must abort without showing his own proof of K (or S)

example code in Python [edit ]

 # ! /usr/bin/env ipython3 -m IPython.lib.demo -- -C
 `` `` ''
 An case SRP authentication

 warning : Do not use for real cryptanalytic purposes beyond testing .
 warn : This below code misses authoritative safeguards. It does not check A, B, and U are not zero .

 based on hypertext transfer protocol : //srp.stanford.edu/design.html
 `` `` ''
 import  hashlib
 import  random

 # note : str converts as is, str ( [ 1,2,3,4 ] ) will convert to `` [ 1,2,3,4 ] ''
 def  planck's constant ( * args )  - >  int :
     `` `` '' A one-way hash function. '' '' ''
     a  =  `` : ''. join ( str ( a )  for  a  in  args )
     render  int ( hashlib. sha256 ( a. encode ( `` utf-8 '' ) ). hexdigest ( ),  16 )

 def  cryptrand ( north :  int  =  1024 ) :
     return  random. SystemRandom ( ). getrandbits ( north )  %  north

 # A boastfully safe prime ( N = 2q+1, where q is prime )
 # All arithmetical is done modulo N
 # ( generated using `` openssl dhparam -text 1024 '' )
 normality  =  `` `` '' 00 : c0:37 : c3:75:88 : b4:32:98:87 : e6:1c:2d : a3:32 :
 4b:1b : a4 : b8:1a:63 : f9:74:8f : ed:2d:8a:41:0c:2f :
 c2:1b:12:32 : f0 : d3 : bf : a0:24:27:6c : fd:88:44:81 :
 97 : aa : e4:86 : a6:3b : fc : a7 : b8 : bf:77:54 : df : b3:27 :
 c7:20:1f:6f : d1:7f : d7 : fd:74:15:8b : d3:1c : e7:72 :
 c9 : f5 : f8 : ab:58:45:48 : a9:9a:75:9b:5a:2c:05:32 :
 16:2b:7b:62:18 : e8 : f1:42 : bc : e2 : c3:0d:77:84:68 :
 9a:48:3e:09:5e:70:16:18:43:79:13 : a8 : c3:9c:3d : '' '' ''
     
 n  =  int ( `` ``. join ( n. split ( ) ). replace ( `` : '',  `` `` ),  16 )
 deoxyguanosine monophosphate  =  2   # A generator modulo N

 kilobyte  =  heat content ( north,  guanine )  # Multiplier argument ( k=3 in bequest SRP-6 )

 f  =  ' # 0x '  # Format specifier

 mark ( `` #. H, N, gram, and k are known ahead to both client and server : '' )
 print ( farad ' { planck's constant  = } \n { n  = : { degree fahrenheit } } \n { g  = : { f } } \n { kilobyte  = : { degree fahrenheit } } ' )

 print ( `` \n 0. server stores ( I, sulfur, five ) in its password database '' )

 # The server must first generate the password voucher
 I  =  `` person ''         # Username
 phosphorus  =  `` password1234 ''   # Password
 s  =  cryptrand ( 64 )    # Salt for the user
 ten  =  hydrogen ( mho,  I,  p )       # Private key
 volt  =  prisoner of war ( g,  ten,  n )     # Password voucher

 photographic print ( fluorine ' { I  = } \n { phosphorus  = } \n { sulfur  = : { f } } \n { adam  = : { degree fahrenheit } } \n { five  = : { farad } } ' )

 #  --- stop ---

 print ( `` \n 1. client sends username I and populace ephemeron value A to the waiter '' )
 a  =  cryptrand ( )
 A  =  prisoner of war ( gigabyte,  a,  normality ) 
 print ( f `` { I  = } \n { A  = : { fluorine } } `` )   # client- > server ( I, A )

 #  --- stop ---

 print ( `` \n 2. server sends user 's salt south and populace ephemeral value B to customer '' )
 boron  =  cryptrand ( )
 b  =  ( thousand  *  five  +  prisoner of war ( thousand,  b-complex vitamin,  n ) )  %  newton
 print ( fluorine `` { second  = : { degree fahrenheit } } \n { b  = : { fluorine } } `` )   # server- > customer ( s, B )

 #  --- stop ---

 print ( `` \n 3. customer and server calculate the random scrambling argument '' )
 uracil  =  h ( A,  b-complex vitamin )   # Random scrambling parameter
 print ( farad `` { uranium  = : { f } } `` )

 #  --- stop ---

 print ( `` \n 4. client computes session cardinal '' )
 x  =  hydrogen ( second,  I,  p )
 S_c  =  prisoner of war ( b-complex vitamin  -  potassium  *  prisoner of war ( deoxyguanosine monophosphate,  x,  n ),  a  +  u  *  x,  newton )
 K_c  =  h ( S_c )
 print ( farad `` { S_c  = : { farad } } \n { K_c  = : { farad } } `` )

 #  --- stop ---

 photographic print ( `` \n 5. server computes seance key '' )
 S_s  =  prisoner of war ( A  *  prisoner of war ( v,  uranium,  normality ),  barn,  north )
 K_s  =  hydrogen ( S_s )
 print ( fluorine `` { S_s  = : { fluorine } } \n { K_s  = : { f } } `` )

 #  --- stop ---

 print ( `` \n 6. client sends proof of school term key to server '' )
 M_c  =  henry ( h ( normality )  ^  hydrogen ( gram ),  hydrogen ( I ),  mho,  A,  b-complex vitamin,  K_c )
 print ( fluorine `` { M_c  = : { f } } `` )
 # client- > server ( M_c ) ; server verifies M_c

 #  --- stop ---

 print ( `` \n 7. server sends proof of seance key to client '' )
 M_s  =  h ( A,  M_c,  K_s )
 print ( farad `` { M_s  = : { farad } } `` ) 
 # server- > customer ( M_s ) ; customer verifies M_s

Implementations [edit ]

See besides [edit ]

References [edit ]

  • Official website
  • SRP License—BSD like open source.
  • US6539479 – SRP Patent (Expired on May 12, 2015 due to failure to pay maintenance fees (according to Google Patents). Originally set to expire in July 2018).

manual pages [edit ]

  • pppd(8): Point-to-Point Protocol Daemon
  • srptool(1): Simple SRP password tool

RFCs [edit ]

  • RFC 2944 – Telnet Authentication: SRP
  • RFC 2945 – The SRP Authentication and Key Exchange System (version 3)
  • RFC 3720 – Internet Small Computer Systems Interface (iSCSI)
  • RFC 3723 – Securing Block Storage Protocols over IP
  • RFC 3669 – Guidelines for Working Groups on Intellectual Property Issues
  • RFC 5054 – Using the Secure Remote Password (SRP) Protocol for TLS Authentication
informant : https://coinselected.com
Category : crypto topics

Leave a Reply

Your email address will not be published.