Create Presentation
Download Presentation

Download Presentation
## The Secure Remote Password Protocol (SRP)

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**The Secure Remote Password Protocol (SRP)**Fong Wee Teck (U018200X) Tong Jia Yun (U018216M) 30 March, 2004**Contents**• Introduction • Secure Remote Password 3 (SRP-3) • Specification • Protocol • Analysis • Secure Remote Password 6 (SRP-6) • Demo • Conclusion**Introduction**• User Authentication Protocols fall into 3 broad categories: • Something the user is (biometrics) • Something the user has (smartcards) • Something the user knows (passwords, PINs) • SRP deals with direct password • Requires only a memorized password • Involve NO trusted third party • How to ensure security? • How to store passwords without plaintext-equivalence?**Existing Authentication Techniques**• Challenge-Response Protocol • Susceptible to offline dictionary attack • Eavesdropper captures both plaintext challenge and encrypted response • Tries common passwords till it matches • Encrypted Key Exchange (EKE) • Combination of symmetric and public-key cryptography • Resists dictionary attack • Does not provide sufficient information to verify a guessed password**Backbone of SRP**• Asymmetric Key Exchange (AKE) • Zero-knowledge, verifier-based design • Password and verifier are not equivalent (though verifiers are derived from passwords) • Discrete Logarithm Problem • Specifically the Diffie-Hellmen problem**Asymmetric Key Exchange (AKE)**• Primary function: • Exchanges keys between 2 parties • Uses this key to verify both parties • Unlike EKE, AKE does not encrypt any of the protocol flows • Eliminates need to negotiate a common encryption algorithm • Prevents weakness in encryption from affecting authentication**Asymmetric Key Exchange (AKE)**Carol Steve P(x) Choose password x P(z) Choose password z Generate random w P(w) Generate random y P(y) Compute Session Key K Compute Session Key K K = S( R(P(y), P(z)), Q(w, x) ) K = S( R(P(w), P(x)), Q(y, z) )**SRP-3 (Specifications)**• Uses the group ZN (N is a large safe prime) and the usual operations defined on this group • “One-way” verifier-generator: • Verifies session keys match using Message Authentication Code (MAC) based on one-way hash functions, ∏ P(x) = (gx)mod N, where g is a generator**SRP-3 (Specifications)**• N and g are common public values, agreed before the start of protocol • To establish a password P with Steve, Carol picks a random salt, s and computes the long term private key, x and verifier, v: • Steve stores Carol’s username I, v and s • x is not stored • it is equivalent to the plaintext password P as s is a public value x = ∏( s, P) v = (gx) mod N**SRP-3 (Specifications)**• The AKE protocol also allows Steve to have a password z with a corresponding verifier gz with Carol • Simplification in SRP, z = 0 • therefore verifier is 1 • Carol only needs to remember her own username and password. (Acceptability) • There is mutual authentication as long as Carol’s verifier, v is kept private with Steve. • If v is compromised, an attacker, Alice, can spoof as Steve and fool Carol to log in. • However, Alice will not learn the password nor spoof as Carol**SRP-3 (Protocol)**Carol Steve carol (lookup s, v) s x = ∏(s, P) A A = ga (B, u) B = v + gb S = (B – gx)a + ux = (v + gb– gx)a + ux = gab+bux (v = gx) S = (Avu)b = (gagxu)b = gab+bux K = H(S) K = H(S) M1 = ∏(A, B, K) M1 (verify M1) M2 = ∏(A, M1, K) M2 (verify M2)**SRP-3 (Analysis)**• Requirements • Reduction to Diffie-Hellmen • Computation of B • Role of u • Resistance to the Denning-Sacco attack • Resistance to active attacks**Requirements**1) No information about password P and associated private key, x is revealed in a successful protocol run. • Prevent offline verification of password guesses 2) No information about K is revealed in a successful protocol run. • Prevent reconstruction of cryptographically strong K, which is resistant to guessing 3) Active message spoofing will not give the attacker more information on P or K or allows access to server • At most, it causes Denial-of-Service**Requirements**4) If v is compromised, the attacker cannot impersonate a legitimate user without an expensive dictionary search • No password equivalents stored on server 5) If K is compromised, the attacker cannot guess or deduce password P 6) If P is compromised, the attacker cannot reconstruct past session keys and even the present key to decrypt past messages. • Provides forward security**Reduction to Diffie-Hellmen**• Math of SRP similar to the Diffie-Hellmen problem • Conjecture: It is hard to compute (gab) mod N when given (ga) mod N and (gb) mod N • Resists passive attacks as well as the Diffie-Hellmen protocol**Computation of B**• Recall that B = v + gb • Why not just use B = gb? • Reason: Opens the protocol to an active dictionary attack • Attacker masquerades as server and convinces Carol to make an authentication attempt**Computation of B**Carol Alice carol (Snooped s) s x = ∏(s, P) A A = ga (Pick own b and u) Send B = gb (B, u) Compute S K = H(S) M1 = ∏(A, B, K) M1 Do offline Attack. Network/Password Failure Message**Computation of B**• Alice now has A and her own b along with a proof of K from Carol • Guess a password p’, compute x’ and then v’ • Subsequently, get S’ and K’ = ∏(S’) and check against Carol’s proof of the real K • Need to commit secret value v into B to resist active dictionary attacks • Use modular addition B = (v + gb) mod n as it leaks no information about v**Role of u**• Why do Steve need to send u and B to Carol and not simply just B and let Carol choose u? • Reason: An attacker, Alice, who has captured the secret v can pose as a fake client to gain access to server • Attack works as it is now possible to create a session key S = gab, which is independent of the long-term private key x**Role of u**• Recall that Carol needs to compute S = (B – gx)a+ux B = v + gb • Alice computes A = gav-u and sends to Steve. Alice computes S = (B – gx)a = gab • Steve computes S = (Avu)b=gab • Thus, Alice manages to convince Alice that she is Carol**Resistance to Denning-Sacco**• Denning-Sacco attack • intruder captures session key K and use it to impersonate user directly or use brute-force search against user’s password • For SRP • even if K is learnt, nothing new can be learnt from combining it with M1 or M2 • As the one-way hash function makes K independent from long-term private key x • there is no easy way to conduct a brute-force attack**Resistance to active attacks**• As with most systems, if secret x is known, Alice can masquerade as Carol and if secret v is known, she can masquerade as Steve • “Man-in-the-middle” attack requires the attacker to know both x and v • Damage caused by a leaked v is limited compared to plaintext-equivalent systems • Zero knowledge nature of SRP, Steve does not know anything about x • However v must still be kept secret to prevent Alice from masquerading as Steve**Constraint Checks**• n is a large, safe prime • Safe: both n and (n – 1)/2 are prime • Protect against subgroup confinement attack • gis a primitive root in Zn • A≠ 0(computed at server) • B ≠ 0(computed at client) • a, b > loggn • so that ga and gb in Zn must “wrap-around” • prevent attacker from taking direct algebraic logarithm of ga to recover a**SRP-6: Improvements**• SRP-3 is the model developed in 1998 • SRP-6, proposed in 2002 addresses real-world implementations issues • Two-for-onepassword guessing attack by an attacker posing as a server • Message Ordering Property which requires server to wait for client’s first exponential residue A, before sending its own, B**Two-for-One Guessing**• Attacker can try to validate 2 password guesses per server impersonation attempt • Recall: Server supposed to send clientB = v + gb • Attacker that does not know x or v can make 2 guesses at v by sending B = gw + gy, where w and y are the guessed passwords**Two-for-One Guessing**• Solution: Remove the symmetry by multiplying v by some value k • Note that if attacker knowsk = gj,he can still perform the 2 for 1 guessing usingB= kgw + kgy • Recommended value : k = 3**Message Ordering**Server Client <Username, A> <s, u, B> M1 M2 (optional) • In SRP-3, the optimized message ordering is as follows: • This version requires both sides to agree on g and N in advance • Otherwise, it would need a extra round trip to establish g and N**Message Ordering**• Proposed optimized solution: • Still uses only 2 round trips, but requires B to be send before A • Now u must be a secure hash function of A and B instead of any random value Server Client Username <N, g, s, B> <A, M1> M2 (optional)**SRP-6 (Optimized Protocol)**Carol Steve (I = Carol, A) A = ga (lookup s, v) (B, s) x = ∏(s, I, P) B = 3v + gb u = ∏(A, B) u = ∏(A, B) S = (Avu)b = (gagxu)b = gab+bux S = (B – 3gx)a + ux = (3v + gb– 3gx)a + ux = gab+bux (v = gx) M1 = ∏(A, B, K) M1 (verify M1) M2 = ∏(A, M1, K) M2 (verify M2) K = H(S) K = H(S)**SRP-6 Demo**Demo (Remote) Demo (Local)**Conclusion**• SRP provides more secure drop-in replacement to current password authentication protocols • It is familiar to users on the surface • It does not require expensive infrastructure change (no trusted server) • It has been extensively studied and found to resist most, if not all, known attacks • Currently integrated with Telnet, FTP, CVS and numerous protocols. • It is Open and Free**References**[1] Thomas Wu, The Secure Remote Password Protocol, March 1998 [2] Thomas Wu, SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, October 2002 [3] http://srp.stanford.edu/ Thank You!