User authentication with passwords, What’s SRP?

User authentication with passwords, What’s SRP?

The Secure Remote Password (SRP) protocol is first and foremost a Password Authenticated Key Exchange ( PAKE ). specifically, SRP is an asymmetric or augmented PAKE : it ’ s a key exchange where only one side is authenticated thanks to a password. This is normally utilitarian for user authentication protocols. theoretically any client-server protocol that relies on passwords ( like SSH ) could be doing it, but rather such protocols often have the password directly sent to the server ( hopefully on a plug connection ). As such, asymmetrical PAKEs offer an interest direction to augment user authentication protocols to avoid the waiter learning about the user ’ randomness password .
eminence that the other type of PAKE is called a symmetrical or balanced PAKE. In a symmetrical PAKE two sides are attested thanks to the same password. This is normally useful in user-aided authentication protocols where a exploiter attempts to pair two physical devices together, for exemplar a mobile phone or laptop to a WiFi router. ( note that the late WiFi protocol WPA3 uses the DragonFly symmetrical PAKE for this. )
user (aided) authentication
In this blog post I will answer the follow questions :

  • What is SRP?
  • How does SRP work?
  • Should I use SRP today?

What is SRP?

The stanford university SRP home page puts it in these words :

The Secure Remote Password protocol performs secure distant authentication of light human-memorizable passwords and resists both passive and active network attacks. Because SRP offers this unique combination of password security, user appliance, and freedom from restrictive licenses, it is the most wide standardized protocol of its type, and as a result is being used by organizations both big and belittled, commercial and open-source, to secure about every type of human-authenticated network traffic on a diverseness of computing platforms .

and goes on to say :

The SRP ciphersuites have become established as the solution for secure reciprocal password authentication in SSL/TLS, solving the coarse problem of establishing a dependable communication session based on a human-memorized password in a direction that is crytographically healthy, standardized, peer-reviewed, and has multiple interoperating implementations. As with any crypto primitive, it is about always better to reuse an existing well-tested package than to start from scratch .

But the Stanford SRP home page seems to date from the late 90s .
SRP was standardized for the first time in 2000 in RFC 2944 – Telnet authentication : SRP. Nowadays, most people refer to SRP as the execution used in TLS. This one was specified in 2007 in RFC 5054 – Using the Secure Remote Password ( SRP ) Protocol for TLS Authentication .

How does SRP work?

The Stanford SRP court lists 4 different versions of SRP, with the last one being SRP 6. not certain where adaptation 4 and 5 are, but translation 6 is the adaptation that is standardized and implemented in TLS. There is besides the revision SRP 6a, but I ’ m besides not certain if it ’ mho in use anywhere nowadays .
SRP registration
To register, Alice sends her identity, a random $ salt $, and a salt hash $ ten $ of her password. right from the beginning, you can see that a hash affair is used ( rather of a password hash serve like Argon2 ) and thus anyone who sees this message can efficiently brute-force the hash password. not great. The use of the user-generated salt though, pull off to prevent brute-force attacks that would impact all users .
The waiter can then register Alice by exponentiating a generator of a pre-determined resound ( an additive group with a multiplicative operation ) with the hash password. This is an important step as you will see that anyone with the cognition of $ adam $ can impersonate Alice .
What follows is the login protocol :
SRP login
You can immediately see why this is called a password authenticated key exchange, the login flow includes the standard ephemeral key substitution with a device : the server ’ s public key $ B ’ $ is blinded or hidden with $ v $, a random measure derived from Alice ’ randomness password. ( Note hera $ kelvin $ is a ceaseless fixed by the protocol so we will merely ignore it. )
Alice can only unblinds the server’s ephemeral key by deriving $ v $ herself. To do this, she needs the $ salt $ she registered with ( and this is why the server sends it back to Alice as separate of the hang ). For Alice, the SRP login flow goes like this :

  • Alice re-computes $x = H(salt, password)$ using her password and the salt received from the server.
  • Alice unblinds the server’s ephemeral key by doing $B=B’- kg^x = g^b$
  • Alice then computes the shared secret $S$ by multiplying the results of two key exchanges:
    • $B^a$, the ephemeral key exchange
    • $B^{ux}$, a key exchange between the server’s public key and a value combining the hashed password and the two ephemeral public keys

interestingly, the second identify substitution makes sure that the hash password and the transcript gets involved in the calculation of the shared secret. But queerly, entirely the public keys and not the entire transcript are used .
The server can then compute the shared secret $ S $ american samoa well, using the generation of the lapp two key exchanges :

  • $A^b$, the ephemeral key exchange
  • $v^{ub}$, the other key exchange involving the hashed password and the two ephemeral public keys

The final examination step is for both sides to hash the shared mysterious and use it as the session key $ K = H ( S ) $. Key confirmation can then happen after both sides make successful use of this session key. ( Without winder confirmation, you ’ ra not sure if the early side managed to perform the PAKE. )

Should I use SRP today?

The SRP schema is a much better direction to handle drug user passwords, but it has a number of flaws that make the PAKE protocol less than ideal. For exemplar, person who intercepts the adjustment work can then easily impersonate Alice as the password is never directly used in the protocol, but rather the salted hashish of the password which is communicated during the adjustment process .
This was noticed by multiple security system researchers along the years. Matthew Green in 2018 wrote Should you use SRP ?, in which he says :

Lest you think these positive results are all by design, I would note that there are [ five anterior versions ] of the SRP protocol, each of which contains vulnerabilities. So the stream condition seems to have arrived through a procedure of attrition, more than design .

After noting that the combination of multiplication and addition makes it impossible to implement in egg-shaped curve groups, Matthew Green concludes with :

In drumhead, SRP is just eldritch. It was created in 1998 and bears all the marks of a protocol invented in the prehistoric days of crypto. It ’ second been repeatedly broken in diverse ways, though the most holocene [ v6 ] rewrite doesn ’ thyroxine seem obviously busted — american samoa long as you implement it carefully and use the right parameters. It has no security proof worth a damn, though some will say this doesn ’ thymine count ( I disagree with them. )

furthermore, SRP is not available in the end version of TLS ( TLS 1.3 ) .
Since then, many schemes have been proposed, and even standardized and productionized ( for case PAK was standardized by Google in 2010 ) The IETF 104, March 2019 – overview of existing PAKEs and PAKE selection criterion has a tilt :
PAKE list
In the summer of 2019, the Crypto Forum Research Group (CFRG) of the IETF started a PAKE excerpt process, with goal to pick one algorithm to standardize for each class of PAKEs ( symmetric/balanced and asymmetric/augmented ) :
PAKE CFRG selection process

Two months ago ( March 20th, 2020 ) the CFRG announced the end of the PAKE selection march, choose :

  • CPace as the symmetric/balanced PAKE (from Björn Haase and Benoît Labrique)
  • OPAQUE as the asymmetric/augmented PAKE (from Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu)

frankincense, my recommendation is dim-witted, today you should use OPAQUE !
If you want to learn more about OPAQUE, check out chapter 11 of my book real worldly concern cryptography .

Leave a Reply

Your email address will not be published.