1 / 32

The Secure Remote Password Protocol (SRP)

The Secure Remote Password Protocol (SRP). Fong Wee Teck (U018200X) Tong Jia Yun (U018216M) 30 March, 2004. Contents. Introduction Secure Remote Password 3 (SRP-3) Specification Protocol Analysis Secure Remote Password 6 (SRP-6) Demo Conclusion. Introduction.

lowri
Download Presentation

The Secure Remote Password Protocol (SRP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Secure Remote Password Protocol (SRP) Fong Wee Teck (U018200X) Tong Jia Yun (U018216M) 30 March, 2004

  2. Contents • Introduction • Secure Remote Password 3 (SRP-3) • Specification • Protocol • Analysis • Secure Remote Password 6 (SRP-6) • Demo • Conclusion

  3. Introduction • User Authentication Protocols fall into 3 broad categories: • Something the user is (biometrics) • Something the user has (smartcards) • Something the user knows (passwords, PINs) • SRP deals with direct password • Requires only a memorized password • Involve NO trusted third party • How to ensure security? • How to store passwords without plaintext-equivalence?

  4. Existing Authentication Techniques • Challenge-Response Protocol • Susceptible to offline dictionary attack • Eavesdropper captures both plaintext challenge and encrypted response • Tries common passwords till it matches • Encrypted Key Exchange (EKE) • Combination of symmetric and public-key cryptography • Resists dictionary attack • Does not provide sufficient information to verify a guessed password

  5. Backbone of SRP • Asymmetric Key Exchange (AKE) • Zero-knowledge, verifier-based design • Password and verifier are not equivalent (though verifiers are derived from passwords) • Discrete Logarithm Problem • Specifically the Diffie-Hellmen problem

  6. Asymmetric Key Exchange (AKE) • Primary function: • Exchanges keys between 2 parties • Uses this key to verify both parties • Unlike EKE, AKE does not encrypt any of the protocol flows • Eliminates need to negotiate a common encryption algorithm • Prevents weakness in encryption from affecting authentication

  7. Asymmetric Key Exchange (AKE) Carol Steve P(x) Choose password x P(z) Choose password z Generate random w P(w) Generate random y P(y) Compute Session Key K Compute Session Key K K = S( R(P(y), P(z)), Q(w, x) ) K = S( R(P(w), P(x)), Q(y, z) )

  8. SRP-3 (Specifications) • Uses the group ZN (N is a large safe prime) and the usual operations defined on this group • “One-way” verifier-generator: • Verifies session keys match using Message Authentication Code (MAC) based on one-way hash functions, ∏ P(x) = (gx)mod N, where g is a generator

  9. SRP-3 (Specifications) • N and g are common public values, agreed before the start of protocol • To establish a password P with Steve, Carol picks a random salt, s and computes the long term private key, x and verifier, v: • Steve stores Carol’s username I, v and s • x is not stored • it is equivalent to the plaintext password P as s is a public value x = ∏( s, P) v = (gx) mod N

  10. SRP-3 (Specifications) • The AKE protocol also allows Steve to have a password z with a corresponding verifier gz with Carol • Simplification in SRP, z = 0 • therefore verifier is 1 • Carol only needs to remember her own username and password. (Acceptability) • There is mutual authentication as long as Carol’s verifier, v is kept private with Steve. • If v is compromised, an attacker, Alice, can spoof as Steve and fool Carol to log in. • However, Alice will not learn the password nor spoof as Carol

  11. SRP-3 (Protocol) Carol Steve carol (lookup s, v) s x = ∏(s, P) A A = ga (B, u) B = v + gb S = (B – gx)a + ux = (v + gb– gx)a + ux = gab+bux (v = gx) S = (Avu)b = (gagxu)b = gab+bux K = H(S) K = H(S) M1 = ∏(A, B, K) M1 (verify M1) M2 = ∏(A, M1, K) M2 (verify M2)

  12. SRP-3 (Analysis) • Requirements • Reduction to Diffie-Hellmen • Computation of B • Role of u • Resistance to the Denning-Sacco attack • Resistance to active attacks

  13. Requirements 1) No information about password P and associated private key, x is revealed in a successful protocol run. • Prevent offline verification of password guesses 2) No information about K is revealed in a successful protocol run. • Prevent reconstruction of cryptographically strong K, which is resistant to guessing 3) Active message spoofing will not give the attacker more information on P or K or allows access to server • At most, it causes Denial-of-Service

  14. Requirements 4) If v is compromised, the attacker cannot impersonate a legitimate user without an expensive dictionary search • No password equivalents stored on server 5) If K is compromised, the attacker cannot guess or deduce password P 6) If P is compromised, the attacker cannot reconstruct past session keys and even the present key to decrypt past messages. • Provides forward security

  15. Reduction to Diffie-Hellmen • Math of SRP similar to the Diffie-Hellmen problem • Conjecture: It is hard to compute (gab) mod N when given (ga) mod N and (gb) mod N • Resists passive attacks as well as the Diffie-Hellmen protocol

  16. Computation of B • Recall that B = v + gb • Why not just use B = gb? • Reason: Opens the protocol to an active dictionary attack • Attacker masquerades as server and convinces Carol to make an authentication attempt

  17. Computation of B Carol Alice carol (Snooped s) s x = ∏(s, P) A A = ga (Pick own b and u) Send B = gb (B, u) Compute S K = H(S) M1 = ∏(A, B, K) M1 Do offline Attack. Network/Password Failure Message

  18. Computation of B • Alice now has A and her own b along with a proof of K from Carol • Guess a password p’, compute x’ and then v’ • Subsequently, get S’ and K’ = ∏(S’) and check against Carol’s proof of the real K • Need to commit secret value v into B to resist active dictionary attacks • Use modular addition B = (v + gb) mod n as it leaks no information about v

  19. Role of u • Why do Steve need to send u and B to Carol and not simply just B and let Carol choose u? • Reason: An attacker, Alice, who has captured the secret v can pose as a fake client to gain access to server • Attack works as it is now possible to create a session key S = gab, which is independent of the long-term private key x

  20. Role of u • Recall that Carol needs to compute S = (B – gx)a+ux B = v + gb • Alice computes A = gav-u and sends to Steve. Alice computes S = (B – gx)a = gab • Steve computes S = (Avu)b=gab • Thus, Alice manages to convince Alice that she is Carol

  21. Resistance to Denning-Sacco • Denning-Sacco attack • intruder captures session key K and use it to impersonate user directly or use brute-force search against user’s password • For SRP • even if K is learnt, nothing new can be learnt from combining it with M1 or M2 • As the one-way hash function makes K independent from long-term private key x • there is no easy way to conduct a brute-force attack

  22. Resistance to active attacks • As with most systems, if secret x is known, Alice can masquerade as Carol and if secret v is known, she can masquerade as Steve • “Man-in-the-middle” attack requires the attacker to know both x and v • Damage caused by a leaked v is limited compared to plaintext-equivalent systems • Zero knowledge nature of SRP, Steve does not know anything about x • However v must still be kept secret to prevent Alice from masquerading as Steve

  23. Constraint Checks • n is a large, safe prime • Safe: both n and (n – 1)/2 are prime • Protect against subgroup confinement attack • gis a primitive root in Zn • A≠ 0(computed at server) • B ≠ 0(computed at client) • a, b > loggn • so that ga and gb in Zn must “wrap-around” • prevent attacker from taking direct algebraic logarithm of ga to recover a

  24. SRP-6: Improvements • SRP-3 is the model developed in 1998 • SRP-6, proposed in 2002 addresses real-world implementations issues • Two-for-onepassword guessing attack by an attacker posing as a server • Message Ordering Property which requires server to wait for client’s first exponential residue A, before sending its own, B

  25. Two-for-One Guessing • Attacker can try to validate 2 password guesses per server impersonation attempt • Recall: Server supposed to send clientB = v + gb • Attacker that does not know x or v can make 2 guesses at v by sending B = gw + gy, where w and y are the guessed passwords

  26. Two-for-One Guessing • Solution: Remove the symmetry by multiplying v by some value k • Note that if attacker knowsk = gj,he can still perform the 2 for 1 guessing usingB= kgw + kgy • Recommended value : k = 3

  27. Message Ordering Server Client <Username, A> <s, u, B> M1 M2 (optional) • In SRP-3, the optimized message ordering is as follows: • This version requires both sides to agree on g and N in advance • Otherwise, it would need a extra round trip to establish g and N

  28. Message Ordering • Proposed optimized solution: • Still uses only 2 round trips, but requires B to be send before A • Now u must be a secure hash function of A and B instead of any random value Server Client Username <N, g, s, B> <A, M1> M2 (optional)

  29. SRP-6 (Optimized Protocol) Carol Steve (I = Carol, A) A = ga (lookup s, v) (B, s) x = ∏(s, I, P) B = 3v + gb u = ∏(A, B) u = ∏(A, B) S = (Avu)b = (gagxu)b = gab+bux S = (B – 3gx)a + ux = (3v + gb– 3gx)a + ux = gab+bux (v = gx) M1 = ∏(A, B, K) M1 (verify M1) M2 = ∏(A, M1, K) M2 (verify M2) K = H(S) K = H(S)

  30. SRP-6 Demo Demo (Remote) Demo (Local)

  31. Conclusion • SRP provides more secure drop-in replacement to current password authentication protocols • It is familiar to users on the surface • It does not require expensive infrastructure change (no trusted server) • It has been extensively studied and found to resist most, if not all, known attacks • Currently integrated with Telnet, FTP, CVS and numerous protocols. • It is Open and Free

  32. References [1] Thomas Wu, The Secure Remote Password Protocol, March 1998 [2] Thomas Wu, SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, October 2002 [3] http://srp.stanford.edu/ Thank You!

More Related