sirp 2.0.0.pre

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,8 @@
1
+ require 'bundler/gem_tasks'
2
+ require 'rspec/core/rake_task'
3
+ require 'wwtd/tasks'
4
+
5
+ RSpec::Core::RakeTask.new(:spec)
6
+
7
+ task default: :spec
8
+ task test: :spec
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'bundler/setup'
4
+ require 'sirp'
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ require 'pry'
11
+ Pry.start
12
+
13
+ require 'irb'
14
+ IRB.start
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,21 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQ4wDAYDVQQDDAVnbGVu
3
+ bjEVMBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwHhcN
4
+ MTYwNDExMDI0NTU0WhcNMTcwNDExMDI0NTU0WjA7MQ4wDAYDVQQDDAVnbGVubjEV
5
+ MBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwggEiMA0G
6
+ CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZqTH5Jf+D/W2B4BIiL49CpHa86rK/
7
+ oT+v3xZwuEE92lJea+ygn3IAsidVTW47AKE6Lt3UqUkGQGKxsqH/Dhir08BqjLlD
8
+ gBUozGZpM3B6uWZnD6QXLbOmZeGVDnwB/QDfzaawN1i3smlYxYT+KNLjl80aN3we
9
+ /cHAWG7JG47AF/S91mYcg1WgZnDgZt9+RyVR1AsfYbM+SidOSoXEOHPCbuUxLKJb
10
+ gj5ieCFhm5GNWEugvgiX/ruas+VHV0fF3fzjYlU2fZPTuQyB4UD5FWX4UqdsBf3w
11
+ jB94TDBsJ3FVGPbggEhLGKd8pbQmBIOqXolGaqhs7dnuf5imu5mAXHC1AgMBAAGj
12
+ bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBRfxEyosUbKjfFa
13
+ j+gae2CcT3aFCTAZBgNVHREEEjAQgQ5nbGVubkByZW1wZS51czAZBgNVHRIEEjAQ
14
+ gQ5nbGVubkByZW1wZS51czANBgkqhkiG9w0BAQUFAAOCAQEAzgK20+MNOknR9Kx6
15
+ RisI3DsioCADjGldxY+INrwoTfPDVmNm4GdTYC+V+/BvxJw1RqHjEbuXSg0iibQC
16
+ 4vN+th0Km7dnas/td1i+EKfGencfyQyecIaG9l3kbCkCWnldRtZ+BS5EfP2ML2u8
17
+ fyCtze/Piovu8IwXL1W5kGZMnvzLmWxdqI3VPUou40n8F+EiMMLgd53kpzjtNOau
18
+ 4W+mqVGOwlEGVSgI5+0SIsD8pvc62PlPWTv0kn1bcufKKCZmoVmpfbe3j4JpBInq
19
+ zieXiXZSAojfFx9g91fKdIrlPbInHU/BaCxXSLBwvOM0drE+c2ue9X8gB55XAhzX
20
+ 37oBiw==
21
+ -----END CERTIFICATE-----
@@ -0,0 +1,406 @@
1
+
2
+
3
+
4
+
5
+
6
+
7
+ Network Working Group T. Wu
8
+ Request for Comments: 2945 Stanford University
9
+ Category: Standards Track September 2000
10
+
11
+
12
+ The SRP Authentication and Key Exchange System
13
+
14
+ Status of this Memo
15
+
16
+ This document specifies an Internet standards track protocol for the
17
+ Internet community, and requests discussion and suggestions for
18
+ improvements. Please refer to the current edition of the "Internet
19
+ Official Protocol Standards" (STD 1) for the standardization state
20
+ and status of this protocol. Distribution of this memo is unlimited.
21
+
22
+ Copyright Notice
23
+
24
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
25
+
26
+ Abstract
27
+
28
+ This document describes a cryptographically strong network
29
+ authentication mechanism known as the Secure Remote Password (SRP)
30
+ protocol. This mechanism is suitable for negotiating secure
31
+ connections using a user-supplied password, while eliminating the
32
+ security problems traditionally associated with reusable passwords.
33
+ This system also performs a secure key exchange in the process of
34
+ authentication, allowing security layers (privacy and/or integrity
35
+ protection) to be enabled during the session. Trusted key servers
36
+ and certificate infrastructures are not required, and clients are not
37
+ required to store or manage any long-term keys. SRP offers both
38
+ security and deployment advantages over existing challenge-response
39
+ techniques, making it an ideal drop-in replacement where secure
40
+ password authentication is needed.
41
+
42
+ 1. Introduction
43
+
44
+ The lack of a secure authentication mechanism that is also easy to
45
+ use has been a long-standing problem with the vast majority of
46
+ Internet protocols currently in use. The problem is two-fold: Users
47
+ like to use passwords that they can remember, but most password-based
48
+ authentication systems offer little protection against even passive
49
+ attackers, especially if weak and easily-guessed passwords are used.
50
+
51
+ Eavesdropping on a TCP/IP network can be carried out very easily and
52
+ very effectively against protocols that transmit passwords in the
53
+ clear. Even so-called "challenge-response" techniques like the one
54
+ described in [RFC 2095] and [RFC 1760], which are designed to defeat
55
+
56
+
57
+
58
+ Wu Standards Track [Page 1]
59
+
60
+ RFC 2945 SRP Authentication & Key Exchange System September 2000
61
+
62
+
63
+ simple sniffing attacks, can be compromised by what is known as a
64
+ "dictionary attack". This occurs when an attacker captures the
65
+ messages exchanged during a legitimate run of the protocol and uses
66
+ that information to verify a series of guessed passwords taken from a
67
+ precompiled "dictionary" of common passwords. This works because
68
+ users often choose simple, easy-to-remember passwords, which
69
+ invariably are also easy to guess.
70
+
71
+ Many existing mechanisms also require the password database on the
72
+ host to be kept secret because the password P or some private hash
73
+ h(P) is stored there and would compromise security if revealed. That
74
+ approach often degenerates into "security through obscurity" and goes
75
+ against the UNIX convention of keeping a "public" password file whose
76
+ contents can be revealed without destroying system security.
77
+
78
+ SRP meets the strictest requirements laid down in [RFC 1704] for a
79
+ non-disclosing authentication protocol. It offers complete
80
+ protection against both passive and active attacks, and accomplishes
81
+ this efficiently using a single Diffie-Hellman-style round of
82
+ computation, making it feasible to use in both interactive and non-
83
+ interactive authentication for a wide range of Internet protocols.
84
+ Since it retains its security when used with low-entropy passwords,
85
+ it can be seamlessly integrated into existing user applications.
86
+
87
+ 2. Conventions and Terminology
88
+
89
+ The protocol described by this document is sometimes referred to as
90
+ "SRP-3" for historical purposes. This particular protocol is
91
+ described in [SRP] and is believed to have very good logical and
92
+ cryptographic resistance to both eavesdropping and active attacks.
93
+
94
+ This document does not attempt to describe SRP in the context of any
95
+ particular Internet protocol; instead it describes an abstract
96
+ protocol that can be easily fitted to a particular application. For
97
+ example, the specific format of messages (including padding) is not
98
+ specified. Those issues have been left to the protocol implementor
99
+ to decide.
100
+
101
+ The one implementation issue worth specifying here is the mapping
102
+ between strings and integers. Internet protocols are byte-oriented,
103
+ while SRP performs algebraic operations on its messages, so it is
104
+ logical to define at least one method by which integers can be
105
+ converted into a string of bytes and vice versa.
106
+
107
+ An n-byte string S can be converted to an integer as follows:
108
+
109
+ i = S[n-1] + 256 * S[n-2] + 256^2 * S[n-3] + ... + 256^(n-1) * S[0]
110
+
111
+ where i is the integer and S[x] is the value of the x'th byte of S.
112
+ In human terms, the string of bytes is the integer expressed in base
113
+ 256, with the most significant digit first. When converting back to
114
+ a string, S[0] must be non-zero (padding is considered to be a
115
+ separate, independent process). This conversion method is suitable
116
+ for file storage, in-memory representation, and network transmission
117
+ of large integer values. Unless otherwise specified, this mapping
118
+ will be assumed.
119
+
120
+ If implementations require padding a string that represents an
121
+ integer value, it is recommended that they use zero bytes and add
122
+ them to the beginning of the string. The conversion back to integer
123
+ automatically discards leading zero bytes, making this padding scheme
124
+ less prone to error.
125
+
126
+ The SHA hash function, when used in this document, refers to the
127
+ SHA-1 message digest algorithm described in [SHA1].
128
+
129
+ 3. The SRP-SHA1 mechanism
130
+
131
+ This section describes an implementation of the SRP authentication
132
+ and key-exchange protocol that employs the SHA hash function to
133
+ generate session keys and authentication proofs.
134
+
135
+ The host stores user passwords as triplets of the form
136
+
137
+ { <username>, <password verifier>, <salt> }
138
+
139
+ Password entries are generated as follows:
140
+
141
+ <salt> = random()
142
+ x = SHA(<salt> | SHA(<username> | ":" | <raw password>))
143
+ <password verifier> = v = g^x % N
144
+
145
+ The | symbol indicates string concatenation, the ^ operator is the
146
+ exponentiation operation, and the % operator is the integer remainder
147
+ operation. Most implementations perform the exponentiation and
148
+ remainder in a single stage to avoid generating unwieldy intermediate
149
+ results. Note that the 160-bit output of SHA is implicitly converted
150
+ to an integer before it is operated upon.
151
+
152
+ Authentication is generally initiated by the client.
153
+
154
+ Client Host
155
+ -------- ------
156
+ U = <username> -->
157
+ <-- s = <salt from passwd file>
158
+
159
+ Upon identifying himself to the host, the client will receive the
160
+ salt stored on the host under his username.
161
+
162
+ a = random()
163
+ A = g^a % N -->
164
+ v = <stored password verifier>
165
+ b = random()
166
+ <-- B = (v + g^b) % N
167
+
168
+ p = <raw password>
169
+ x = SHA(s | SHA(U | ":" | p))
170
+
171
+ S = (B - g^x) ^ (a + u * x) % N S = (A * v^u) ^ b % N
172
+ K = SHA_Interleave(S) K = SHA_Interleave(S)
173
+ (this function is described
174
+ in the next section)
175
+
176
+ The client generates a random number, raises g to that power modulo
177
+ the field prime, and sends the result to the host. The host does the
178
+ same thing and also adds the public verifier before sending it to the
179
+ client. Both sides then construct the shared session key based on
180
+ the respective formulae.
181
+
182
+ The parameter u is a 32-bit unsigned integer which takes its value
183
+ from the first 32 bits of the SHA1 hash of B, MSB first.
184
+
185
+ The client MUST abort authentication if B % N is zero.
186
+
187
+ The host MUST abort the authentication attempt if A % N is zero. The
188
+ host MUST send B after receiving A from the client, never before.
189
+
190
+ At this point, the client and server should have a common session key
191
+ that is secure (i.e. not known to an outside party). To finish
192
+ authentication, they must prove to each other that their keys are
193
+ identical.
194
+
195
+ M = H(H(N) XOR H(g) | H(U) | s | A | B | K)
196
+ -->
197
+ <-- H(A | M | K)
198
+
199
+ The server will calculate M using its own K and compare it against
200
+ the client's response. If they do not match, the server MUST abort
201
+ and signal an error before it attempts to answer the client's
202
+ challenge. Not doing so could compromise the security of the user's
203
+ password.
204
+
205
+ If the server receives a correct response, it issues its own proof to
206
+ the client. The client will compute the expected response using its
207
+ own K to verify the authenticity of the server. If the client
208
+ responded correctly, the server MUST respond with its hash value.
209
+
210
+ The transactions in this protocol description do not necessarily have
211
+ a one-to-one correspondence with actual protocol messages. This
212
+ description is only intended to illustrate the relationships between
213
+ the different parameters and how they are computed. It is possible,
214
+ for example, for an implementation of the SRP-SHA1 mechanism to
215
+ consolidate some of the flows as follows:
216
+
217
+ Client Host
218
+ -------- ------
219
+ U, A -->
220
+ <-- s, B
221
+ H(H(N) XOR H(g) | H(U) | s | A | B | K)
222
+ -->
223
+ <-- H(A | M | K)
224
+
225
+ The values of N and g used in this protocol must be agreed upon by
226
+ the two parties in question. They can be set in advance, or the host
227
+ can supply them to the client. In the latter case, the host should
228
+ send the parameters in the first message along with the salt. For
229
+ maximum security, N should be a safe prime (i.e. a number of the form
230
+ N = 2q + 1, where q is also prime). Also, g should be a generator
231
+ modulo N (see [SRP] for details), which means that for any X where 0
232
+ < X < N, there exists a value x for which g^x % N == X.
233
+
234
+ 3.1. Interleaved SHA
235
+
236
+ The SHA_Interleave function used in SRP-SHA1 is used to generate a
237
+ session key that is twice as long as the 160-bit output of SHA1. To
238
+ compute this function, remove all leading zero bytes from the input.
239
+ If the length of the resulting string is odd, also remove the first
240
+ byte. Call the resulting string T. Extract the even-numbered bytes
241
+ into a string E and the odd-numbered bytes into a string F, i.e.
242
+
243
+ E = T[0] | T[2] | T[4] | ...
244
+ F = T[1] | T[3] | T[5] | ...
245
+
246
+ Both E and F should be exactly half the length of T. Hash each one
247
+ with regular SHA1, i.e.
248
+
249
+ G = SHA(E)
250
+ H = SHA(F)
251
+
252
+ Interleave the two hashes back together to form the output, i.e.
253
+
254
+ result = G[0] | H[0] | G[1] | H[1] | ... | G[19] | H[19]
255
+
256
+ The result will be 40 bytes (320 bits) long.
257
+
258
+ 3.2. Other Hash Algorithms
259
+
260
+ SRP can be used with hash functions other than SHA. If the hash
261
+ function produces an output of a different length than SHA (20
262
+ bytes), it may change the length of some of the messages in the
263
+ protocol, but the fundamental operation will be unaffected.
264
+
265
+ Earlier versions of the SRP mechanism used the MD5 hash function,
266
+ described in [RFC 1321]. Keyed hash transforms are also recommended
267
+ for use with SRP; one possible construction uses HMAC [RFC 2104],
268
+ using K to key the hash in each direction instead of concatenating it
269
+ with the other parameters.
270
+
271
+ Any hash function used with SRP should produce an output of at least
272
+ 16 bytes and have the property that small changes in the input cause
273
+ significant nonlinear changes in the output. [SRP] covers these
274
+ issues in more depth.
275
+
276
+ 4. Security Considerations
277
+
278
+ This entire memo discusses an authentication and key-exchange system
279
+ that protects passwords and exchanges keys across an untrusted
280
+ network. This system improves security by eliminating the need to
281
+ send cleartext passwords over the network and by enabling encryption
282
+ through its secure key-exchange mechanism.
283
+
284
+ The private values for a and b correspond roughly to the private
285
+ values in a Diffie-Hellman exchange and have similar constraints of
286
+ length and entropy. Implementations may choose to increase the
287
+ length of the parameter u, as long as both client and server agree,
288
+ but it is not recommended that it be shorter than 32 bits.
289
+
290
+ SRP has been designed not only to counter the threat of casual
291
+ password-sniffing, but also to prevent a determined attacker equipped
292
+ with a dictionary of passwords from guessing at passwords using
293
+ captured network traffic. The SRP protocol itself also resists
294
+ active network attacks, and implementations can use the securely
295
+ exchanged keys to protect the session against hijacking and provide
296
+ confidentiality.
297
+
298
+ SRP also has the added advantage of permitting the host to store
299
+ passwords in a form that is not directly useful to an attacker. Even
300
+ if the host's password database were publicly revealed, the attacker
301
+ would still need an expensive dictionary search to obtain any
302
+ passwords. The exponential computation required to validate a guess
303
+ in this case is much more time-consuming than the hash currently used
304
+ by most UNIX systems. Hosts are still advised, though, to try their
305
+ best to keep their password files secure.
306
+
307
+ 5. References
308
+
309
+ [RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
310
+ April 1992.
311
+
312
+ [RFC 1704] Haller, N. and R. Atkinson, "On Internet Authentication",
313
+ RFC 1704, October 1994.
314
+
315
+ [RFC 1760] Haller, N., "The S/Key One-Time Password System", RFC
316
+ 1760, Feburary 1995.
317
+
318
+ [RFC 2095] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP
319
+ AUTHorize Extension for Simple Challenge/Response", RFC
320
+ 2095, January 1997.
321
+
322
+ [RFC 2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
323
+ Hashing for Message Authentication", RFC 2104, February
324
+ 1997.
325
+
326
+ [SHA1] National Institute of Standards and Technology (NIST),
327
+ "Announcing the Secure Hash Standard", FIPS 180-1, U.S.
328
+ Department of Commerce, April 1995.
329
+
330
+ [SRP] T. Wu, "The Secure Remote Password Protocol", In
331
+ Proceedings of the 1998 Internet Society Symposium on
332
+ Network and Distributed Systems Security, San Diego, CA,
333
+ pp. 97-111.
334
+
335
+ 6. Author's Address
336
+
337
+ Thomas Wu
338
+ Stanford University
339
+ Stanford, CA 94305
340
+
341
+ EMail: tjw@cs.Stanford.EDU
342
+
343
+
344
+
345
+
346
+
347
+
348
+
349
+ Wu Standards Track [Page 7]
350
+
351
+ RFC 2945 SRP Authentication & Key Exchange System September 2000
352
+
353
+
354
+ 7. Full Copyright Statement
355
+
356
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
357
+
358
+ This document and translations of it may be copied and furnished to
359
+ others, and derivative works that comment on or otherwise explain it
360
+ or assist in its implementation may be prepared, copied, published
361
+ and distributed, in whole or in part, without restriction of any
362
+ kind, provided that the above copyright notice and this paragraph are
363
+ included on all such copies and derivative works. However, this
364
+ document itself may not be modified in any way, such as by removing
365
+ the copyright notice or references to the Internet Society or other
366
+ Internet organizations, except as needed for the purpose of
367
+ developing Internet standards in which case the procedures for
368
+ copyrights defined in the Internet Standards process must be
369
+ followed, or as required to translate it into languages other than
370
+ English.
371
+
372
+ The limited permissions granted above are perpetual and will not be
373
+ revoked by the Internet Society or its successors or assigns.
374
+
375
+ This document and the information contained herein is provided on an
376
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
377
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
378
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
379
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
380
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
381
+
382
+ Acknowledgement
383
+
384
+ Funding for the RFC Editor function is currently provided by the
385
+ Internet Society.
386
+
387
+
388
+
389
+
390
+
391
+
392
+
393
+
394
+
395
+
396
+
397
+
398
+
399
+
400
+
401
+
402
+
403
+
404
+
405
+ Wu Standards Track [Page 8]
406
+