sirp 2.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,8 @@
1
+ require 'bundler/gem_tasks'
2
+ require 'rspec/core/rake_task'
3
+ require 'wwtd/tasks'
4
+
5
+ RSpec::Core::RakeTask.new(:spec)
6
+
7
+ task default: :spec
8
+ task test: :spec
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'bundler/setup'
4
+ require 'sirp'
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ require 'pry'
11
+ Pry.start
12
+
13
+ require 'irb'
14
+ IRB.start
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,21 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQ4wDAYDVQQDDAVnbGVu
3
+ bjEVMBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwHhcN
4
+ MTYwNDExMDI0NTU0WhcNMTcwNDExMDI0NTU0WjA7MQ4wDAYDVQQDDAVnbGVubjEV
5
+ MBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwggEiMA0G
6
+ CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZqTH5Jf+D/W2B4BIiL49CpHa86rK/
7
+ oT+v3xZwuEE92lJea+ygn3IAsidVTW47AKE6Lt3UqUkGQGKxsqH/Dhir08BqjLlD
8
+ gBUozGZpM3B6uWZnD6QXLbOmZeGVDnwB/QDfzaawN1i3smlYxYT+KNLjl80aN3we
9
+ /cHAWG7JG47AF/S91mYcg1WgZnDgZt9+RyVR1AsfYbM+SidOSoXEOHPCbuUxLKJb
10
+ gj5ieCFhm5GNWEugvgiX/ruas+VHV0fF3fzjYlU2fZPTuQyB4UD5FWX4UqdsBf3w
11
+ jB94TDBsJ3FVGPbggEhLGKd8pbQmBIOqXolGaqhs7dnuf5imu5mAXHC1AgMBAAGj
12
+ bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBRfxEyosUbKjfFa
13
+ j+gae2CcT3aFCTAZBgNVHREEEjAQgQ5nbGVubkByZW1wZS51czAZBgNVHRIEEjAQ
14
+ gQ5nbGVubkByZW1wZS51czANBgkqhkiG9w0BAQUFAAOCAQEAzgK20+MNOknR9Kx6
15
+ RisI3DsioCADjGldxY+INrwoTfPDVmNm4GdTYC+V+/BvxJw1RqHjEbuXSg0iibQC
16
+ 4vN+th0Km7dnas/td1i+EKfGencfyQyecIaG9l3kbCkCWnldRtZ+BS5EfP2ML2u8
17
+ fyCtze/Piovu8IwXL1W5kGZMnvzLmWxdqI3VPUou40n8F+EiMMLgd53kpzjtNOau
18
+ 4W+mqVGOwlEGVSgI5+0SIsD8pvc62PlPWTv0kn1bcufKKCZmoVmpfbe3j4JpBInq
19
+ zieXiXZSAojfFx9g91fKdIrlPbInHU/BaCxXSLBwvOM0drE+c2ue9X8gB55XAhzX
20
+ 37oBiw==
21
+ -----END CERTIFICATE-----
@@ -0,0 +1,406 @@
1
+
2
+
3
+
4
+
5
+
6
+
7
+ Network Working Group T. Wu
8
+ Request for Comments: 2945 Stanford University
9
+ Category: Standards Track September 2000
10
+
11
+
12
+ The SRP Authentication and Key Exchange System
13
+
14
+ Status of this Memo
15
+
16
+ This document specifies an Internet standards track protocol for the
17
+ Internet community, and requests discussion and suggestions for
18
+ improvements. Please refer to the current edition of the "Internet
19
+ Official Protocol Standards" (STD 1) for the standardization state
20
+ and status of this protocol. Distribution of this memo is unlimited.
21
+
22
+ Copyright Notice
23
+
24
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
25
+
26
+ Abstract
27
+
28
+ This document describes a cryptographically strong network
29
+ authentication mechanism known as the Secure Remote Password (SRP)
30
+ protocol. This mechanism is suitable for negotiating secure
31
+ connections using a user-supplied password, while eliminating the
32
+ security problems traditionally associated with reusable passwords.
33
+ This system also performs a secure key exchange in the process of
34
+ authentication, allowing security layers (privacy and/or integrity
35
+ protection) to be enabled during the session. Trusted key servers
36
+ and certificate infrastructures are not required, and clients are not
37
+ required to store or manage any long-term keys. SRP offers both
38
+ security and deployment advantages over existing challenge-response
39
+ techniques, making it an ideal drop-in replacement where secure
40
+ password authentication is needed.
41
+
42
+ 1. Introduction
43
+
44
+ The lack of a secure authentication mechanism that is also easy to
45
+ use has been a long-standing problem with the vast majority of
46
+ Internet protocols currently in use. The problem is two-fold: Users
47
+ like to use passwords that they can remember, but most password-based
48
+ authentication systems offer little protection against even passive
49
+ attackers, especially if weak and easily-guessed passwords are used.
50
+
51
+ Eavesdropping on a TCP/IP network can be carried out very easily and
52
+ very effectively against protocols that transmit passwords in the
53
+ clear. Even so-called "challenge-response" techniques like the one
54
+ described in [RFC 2095] and [RFC 1760], which are designed to defeat
55
+
56
+
57
+
58
+ Wu Standards Track [Page 1]
59
+
60
+ RFC 2945 SRP Authentication & Key Exchange System September 2000
61
+
62
+
63
+ simple sniffing attacks, can be compromised by what is known as a
64
+ "dictionary attack". This occurs when an attacker captures the
65
+ messages exchanged during a legitimate run of the protocol and uses
66
+ that information to verify a series of guessed passwords taken from a
67
+ precompiled "dictionary" of common passwords. This works because
68
+ users often choose simple, easy-to-remember passwords, which
69
+ invariably are also easy to guess.
70
+
71
+ Many existing mechanisms also require the password database on the
72
+ host to be kept secret because the password P or some private hash
73
+ h(P) is stored there and would compromise security if revealed. That
74
+ approach often degenerates into "security through obscurity" and goes
75
+ against the UNIX convention of keeping a "public" password file whose
76
+ contents can be revealed without destroying system security.
77
+
78
+ SRP meets the strictest requirements laid down in [RFC 1704] for a
79
+ non-disclosing authentication protocol. It offers complete
80
+ protection against both passive and active attacks, and accomplishes
81
+ this efficiently using a single Diffie-Hellman-style round of
82
+ computation, making it feasible to use in both interactive and non-
83
+ interactive authentication for a wide range of Internet protocols.
84
+ Since it retains its security when used with low-entropy passwords,
85
+ it can be seamlessly integrated into existing user applications.
86
+
87
+ 2. Conventions and Terminology
88
+
89
+ The protocol described by this document is sometimes referred to as
90
+ "SRP-3" for historical purposes. This particular protocol is
91
+ described in [SRP] and is believed to have very good logical and
92
+ cryptographic resistance to both eavesdropping and active attacks.
93
+
94
+ This document does not attempt to describe SRP in the context of any
95
+ particular Internet protocol; instead it describes an abstract
96
+ protocol that can be easily fitted to a particular application. For
97
+ example, the specific format of messages (including padding) is not
98
+ specified. Those issues have been left to the protocol implementor
99
+ to decide.
100
+
101
+ The one implementation issue worth specifying here is the mapping
102
+ between strings and integers. Internet protocols are byte-oriented,
103
+ while SRP performs algebraic operations on its messages, so it is
104
+ logical to define at least one method by which integers can be
105
+ converted into a string of bytes and vice versa.
106
+
107
+ An n-byte string S can be converted to an integer as follows:
108
+
109
+ i = S[n-1] + 256 * S[n-2] + 256^2 * S[n-3] + ... + 256^(n-1) * S[0]
110
+
111
+ where i is the integer and S[x] is the value of the x'th byte of S.
112
+ In human terms, the string of bytes is the integer expressed in base
113
+ 256, with the most significant digit first. When converting back to
114
+ a string, S[0] must be non-zero (padding is considered to be a
115
+ separate, independent process). This conversion method is suitable
116
+ for file storage, in-memory representation, and network transmission
117
+ of large integer values. Unless otherwise specified, this mapping
118
+ will be assumed.
119
+
120
+ If implementations require padding a string that represents an
121
+ integer value, it is recommended that they use zero bytes and add
122
+ them to the beginning of the string. The conversion back to integer
123
+ automatically discards leading zero bytes, making this padding scheme
124
+ less prone to error.
125
+
126
+ The SHA hash function, when used in this document, refers to the
127
+ SHA-1 message digest algorithm described in [SHA1].
128
+
129
+ 3. The SRP-SHA1 mechanism
130
+
131
+ This section describes an implementation of the SRP authentication
132
+ and key-exchange protocol that employs the SHA hash function to
133
+ generate session keys and authentication proofs.
134
+
135
+ The host stores user passwords as triplets of the form
136
+
137
+ { <username>, <password verifier>, <salt> }
138
+
139
+ Password entries are generated as follows:
140
+
141
+ <salt> = random()
142
+ x = SHA(<salt> | SHA(<username> | ":" | <raw password>))
143
+ <password verifier> = v = g^x % N
144
+
145
+ The | symbol indicates string concatenation, the ^ operator is the
146
+ exponentiation operation, and the % operator is the integer remainder
147
+ operation. Most implementations perform the exponentiation and
148
+ remainder in a single stage to avoid generating unwieldy intermediate
149
+ results. Note that the 160-bit output of SHA is implicitly converted
150
+ to an integer before it is operated upon.
151
+
152
+ Authentication is generally initiated by the client.
153
+
154
+ Client Host
155
+ -------- ------
156
+ U = <username> -->
157
+ <-- s = <salt from passwd file>
158
+
159
+ Upon identifying himself to the host, the client will receive the
160
+ salt stored on the host under his username.
161
+
162
+ a = random()
163
+ A = g^a % N -->
164
+ v = <stored password verifier>
165
+ b = random()
166
+ <-- B = (v + g^b) % N
167
+
168
+ p = <raw password>
169
+ x = SHA(s | SHA(U | ":" | p))
170
+
171
+ S = (B - g^x) ^ (a + u * x) % N S = (A * v^u) ^ b % N
172
+ K = SHA_Interleave(S) K = SHA_Interleave(S)
173
+ (this function is described
174
+ in the next section)
175
+
176
+ The client generates a random number, raises g to that power modulo
177
+ the field prime, and sends the result to the host. The host does the
178
+ same thing and also adds the public verifier before sending it to the
179
+ client. Both sides then construct the shared session key based on
180
+ the respective formulae.
181
+
182
+ The parameter u is a 32-bit unsigned integer which takes its value
183
+ from the first 32 bits of the SHA1 hash of B, MSB first.
184
+
185
+ The client MUST abort authentication if B % N is zero.
186
+
187
+ The host MUST abort the authentication attempt if A % N is zero. The
188
+ host MUST send B after receiving A from the client, never before.
189
+
190
+ At this point, the client and server should have a common session key
191
+ that is secure (i.e. not known to an outside party). To finish
192
+ authentication, they must prove to each other that their keys are
193
+ identical.
194
+
195
+ M = H(H(N) XOR H(g) | H(U) | s | A | B | K)
196
+ -->
197
+ <-- H(A | M | K)
198
+
199
+ The server will calculate M using its own K and compare it against
200
+ the client's response. If they do not match, the server MUST abort
201
+ and signal an error before it attempts to answer the client's
202
+ challenge. Not doing so could compromise the security of the user's
203
+ password.
204
+
205
+ If the server receives a correct response, it issues its own proof to
206
+ the client. The client will compute the expected response using its
207
+ own K to verify the authenticity of the server. If the client
208
+ responded correctly, the server MUST respond with its hash value.
209
+
210
+ The transactions in this protocol description do not necessarily have
211
+ a one-to-one correspondence with actual protocol messages. This
212
+ description is only intended to illustrate the relationships between
213
+ the different parameters and how they are computed. It is possible,
214
+ for example, for an implementation of the SRP-SHA1 mechanism to
215
+ consolidate some of the flows as follows:
216
+
217
+ Client Host
218
+ -------- ------
219
+ U, A -->
220
+ <-- s, B
221
+ H(H(N) XOR H(g) | H(U) | s | A | B | K)
222
+ -->
223
+ <-- H(A | M | K)
224
+
225
+ The values of N and g used in this protocol must be agreed upon by
226
+ the two parties in question. They can be set in advance, or the host
227
+ can supply them to the client. In the latter case, the host should
228
+ send the parameters in the first message along with the salt. For
229
+ maximum security, N should be a safe prime (i.e. a number of the form
230
+ N = 2q + 1, where q is also prime). Also, g should be a generator
231
+ modulo N (see [SRP] for details), which means that for any X where 0
232
+ < X < N, there exists a value x for which g^x % N == X.
233
+
234
+ 3.1. Interleaved SHA
235
+
236
+ The SHA_Interleave function used in SRP-SHA1 is used to generate a
237
+ session key that is twice as long as the 160-bit output of SHA1. To
238
+ compute this function, remove all leading zero bytes from the input.
239
+ If the length of the resulting string is odd, also remove the first
240
+ byte. Call the resulting string T. Extract the even-numbered bytes
241
+ into a string E and the odd-numbered bytes into a string F, i.e.
242
+
243
+ E = T[0] | T[2] | T[4] | ...
244
+ F = T[1] | T[3] | T[5] | ...
245
+
246
+ Both E and F should be exactly half the length of T. Hash each one
247
+ with regular SHA1, i.e.
248
+
249
+ G = SHA(E)
250
+ H = SHA(F)
251
+
252
+ Interleave the two hashes back together to form the output, i.e.
253
+
254
+ result = G[0] | H[0] | G[1] | H[1] | ... | G[19] | H[19]
255
+
256
+ The result will be 40 bytes (320 bits) long.
257
+
258
+ 3.2. Other Hash Algorithms
259
+
260
+ SRP can be used with hash functions other than SHA. If the hash
261
+ function produces an output of a different length than SHA (20
262
+ bytes), it may change the length of some of the messages in the
263
+ protocol, but the fundamental operation will be unaffected.
264
+
265
+ Earlier versions of the SRP mechanism used the MD5 hash function,
266
+ described in [RFC 1321]. Keyed hash transforms are also recommended
267
+ for use with SRP; one possible construction uses HMAC [RFC 2104],
268
+ using K to key the hash in each direction instead of concatenating it
269
+ with the other parameters.
270
+
271
+ Any hash function used with SRP should produce an output of at least
272
+ 16 bytes and have the property that small changes in the input cause
273
+ significant nonlinear changes in the output. [SRP] covers these
274
+ issues in more depth.
275
+
276
+ 4. Security Considerations
277
+
278
+ This entire memo discusses an authentication and key-exchange system
279
+ that protects passwords and exchanges keys across an untrusted
280
+ network. This system improves security by eliminating the need to
281
+ send cleartext passwords over the network and by enabling encryption
282
+ through its secure key-exchange mechanism.
283
+
284
+ The private values for a and b correspond roughly to the private
285
+ values in a Diffie-Hellman exchange and have similar constraints of
286
+ length and entropy. Implementations may choose to increase the
287
+ length of the parameter u, as long as both client and server agree,
288
+ but it is not recommended that it be shorter than 32 bits.
289
+
290
+ SRP has been designed not only to counter the threat of casual
291
+ password-sniffing, but also to prevent a determined attacker equipped
292
+ with a dictionary of passwords from guessing at passwords using
293
+ captured network traffic. The SRP protocol itself also resists
294
+ active network attacks, and implementations can use the securely
295
+ exchanged keys to protect the session against hijacking and provide
296
+ confidentiality.
297
+
298
+ SRP also has the added advantage of permitting the host to store
299
+ passwords in a form that is not directly useful to an attacker. Even
300
+ if the host's password database were publicly revealed, the attacker
301
+ would still need an expensive dictionary search to obtain any
302
+ passwords. The exponential computation required to validate a guess
303
+ in this case is much more time-consuming than the hash currently used
304
+ by most UNIX systems. Hosts are still advised, though, to try their
305
+ best to keep their password files secure.
306
+
307
+ 5. References
308
+
309
+ [RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
310
+ April 1992.
311
+
312
+ [RFC 1704] Haller, N. and R. Atkinson, "On Internet Authentication",
313
+ RFC 1704, October 1994.
314
+
315
+ [RFC 1760] Haller, N., "The S/Key One-Time Password System", RFC
316
+ 1760, Feburary 1995.
317
+
318
+ [RFC 2095] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP
319
+ AUTHorize Extension for Simple Challenge/Response", RFC
320
+ 2095, January 1997.
321
+
322
+ [RFC 2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
323
+ Hashing for Message Authentication", RFC 2104, February
324
+ 1997.
325
+
326
+ [SHA1] National Institute of Standards and Technology (NIST),
327
+ "Announcing the Secure Hash Standard", FIPS 180-1, U.S.
328
+ Department of Commerce, April 1995.
329
+
330
+ [SRP] T. Wu, "The Secure Remote Password Protocol", In
331
+ Proceedings of the 1998 Internet Society Symposium on
332
+ Network and Distributed Systems Security, San Diego, CA,
333
+ pp. 97-111.
334
+
335
+ 6. Author's Address
336
+
337
+ Thomas Wu
338
+ Stanford University
339
+ Stanford, CA 94305
340
+
341
+ EMail: tjw@cs.Stanford.EDU
342
+
343
+
344
+
345
+
346
+
347
+
348
+
349
+ Wu Standards Track [Page 7]
350
+
351
+ RFC 2945 SRP Authentication & Key Exchange System September 2000
352
+
353
+
354
+ 7. Full Copyright Statement
355
+
356
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
357
+
358
+ This document and translations of it may be copied and furnished to
359
+ others, and derivative works that comment on or otherwise explain it
360
+ or assist in its implementation may be prepared, copied, published
361
+ and distributed, in whole or in part, without restriction of any
362
+ kind, provided that the above copyright notice and this paragraph are
363
+ included on all such copies and derivative works. However, this
364
+ document itself may not be modified in any way, such as by removing
365
+ the copyright notice or references to the Internet Society or other
366
+ Internet organizations, except as needed for the purpose of
367
+ developing Internet standards in which case the procedures for
368
+ copyrights defined in the Internet Standards process must be
369
+ followed, or as required to translate it into languages other than
370
+ English.
371
+
372
+ The limited permissions granted above are perpetual and will not be
373
+ revoked by the Internet Society or its successors or assigns.
374
+
375
+ This document and the information contained herein is provided on an
376
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
377
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
378
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
379
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
380
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
381
+
382
+ Acknowledgement
383
+
384
+ Funding for the RFC Editor function is currently provided by the
385
+ Internet Society.
386
+
387
+
388
+
389
+
390
+
391
+
392
+
393
+
394
+
395
+
396
+
397
+
398
+
399
+
400
+
401
+
402
+
403
+
404
+
405
+ Wu Standards Track [Page 8]
406
+