Secure Remote Password Protocol

Secure remote password protocol - Wikipedia, the free encyclopedia
Secure remote password protocol. From Wikipedia, the free encyclopedia ... RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication ...
en.wikipedia.org

SRP: Open-Source Password Security
The Secure Remote Password protocol is the core technology behind the Stanford ... Source initiative that integrates secure password authentication into new and ...
srp.stanford.edu

The Secure Remote Password Protocol
Table 4: The Secure Remote Password Protocol. Carol sends Steve her username, (e.g. carol) ... The Secure Remote Password protocol is one of the first authentication ...
srp.stanford.edu

The Secure Remote Password Protocol - CiteSeerX citation query
Scientific documents that cite the following paper: The Secure Remote Password Protocol, by Thomas Wu ... secure password-authenticated key exchange protocol ...
citeseerx.ist.psu.edu

Warning: mkdir() [function.mkdir]: Permission denied in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: mkdir() [function.mkdir]: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: fopen(/home/templatecore2cache//*cluesnet.com/89/89bea7ae6ff48667464f5d01007301c78fb98a14.tc2cache) [function.fopen]: failed to open stream: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 130

Warning: fwrite(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 131

Warning: fclose(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 132

The Secure Remote Password Protocol (SRP) is a password-authenticated key agreement protocol.

Overview The SRP protocol has a number of desirable properties: it allows a user to authenticate himself to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not require a trusted third party. It effectively conveys a zero-knowledge password proof from the user to the server. Only one password can be guessed at per attempt in revision 6 of the protocol. One of the interesting properties of the protocol is that even if one or two of the cryptographic primitives it uses are attacked, it is still secure. The SRP protocol has been revised several times, and is currently at revision six.

The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie-Hellman, then verifies to both parties that the two keys are identical and that both sides have the user's password. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than the alternate Secure Shell protocol and faster than using Diffie-Hellman with signed messages. It is also independent of third parties, unlike Kerberos (protocol). The SRP protocol, version 3 is described in RFC 2945. SRP version 6 is also used for strong password authentication in Transport Layer Security and other standards such as Extensible Authentication Protocol and SAML, and is being standardized in IEEE P1363 and ISO/IEC 11770-4.

Protocol The following notation is used In this description of the protocol, version 6:

N and q = (N-1)/2 are both prime (N is a safe prime and q is a Sophie Germain prime). All arithmetic is performed modulo N.
g is a generator of the multiplicative group modulo N.
k is a parameter derived by both sides, for example k = H(N, g).
s is a small Salt (cryptography).
I is a username.
p is the user's password.
H() is a Cryptographic hash function function, e.g. SHA-256.
v is the host's password verifier, v = gx, x = H(s,p).
u, a and b are random.
| denotes concatenation.

All other variables are defined in terms of these.

First, to establish a password p with Steve,Carol picks a small random salt s, and computes x = H(s, p), v = gx.Steve stores v and s, indexed by I, as Carol's password verifier and salt.x is discarded because it is equivalent to the plaintext password p.This step is completed before the system is used.

Carol -> Steve: I | A, with A = ga
Steve -> Carol: s | B, with B = kv + gb
Both: u = H(A, B)
Carol: SCarol = (B - kgx)(a + ux)
Carol: KCarol = H(S)
Steve: SSteve = (Avu)b
Steve: KSteve = H(S)

Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way is as follows:

Carol -> Steve: M1 = H(H(N) XOR H(g) | H(I) | s | A | B | KCarol). Steve verifies M1.
Steve -> Carol: M2 = H(A | M | KSteve). Carol verifies M2.

This method requires guessing more of the shared state to be successful in impersonation than just the key. While most of the additional state is public, private information could safely be added to the inputs to the hash function, like the server private key. The two parties also employ the following safeguards:
1. Carol will abort if she receives B == 0 (mod N) or u == 0.
2. Steve will abort if he receives A == 0 (mod N).
3. Carol must show her proof of K first. If Steve detects that Carol's proof is incorrect, he must abort without showing its own proof of K.

See also

Password-authenticated key agreement
lsh - an implementation of the Secure SHell v2 protocol
iSCSI - standard for using the SCSI protocol over IP

External links RFCs

RFC 2944 - Telnet Authentication: SRP
RFC 2945 - The SRP Authentication and Key Exchange System
RFC 3720 - Internet Small Computer Systems Interface (iSCSI)
RFC 3723 - Securing Block Storage Protocols over IP
RFC 3669 - Guidelines for Working Groups on Intellectual Property Issues

Manual Pages