There is a secure protocol called "SRP" developed by some folks at Stanford. Their web page (http://srp.stanford.edu/srp) speaks very positively about this protocol, citing some seemingly significant advantages over ssh and kerberos. But other than the information on their web page, I've found very little mention of it anywhere on the net, even though SRP has been in active use on the Stanford campus since summer of 1997. Has anyone used SRP? Is there some fatal flaw which is preventing its widespread acceptance? Pete Gonzalez Jefferson Systems gonzat_private P.S. I've attached some relevant text, since their web server currently seems to be down... ----------------------------------------------------------------------------- Abstract from the original proposal ----------------------------------------------------------------------------- This paper presents a new password authentication and key-exchange protocol suitable for authenticating users and exchanging keys over an untrusted network. The new protocol resists dictionary attacks mounted by either passive or active network intruders, allowing, in principle, even weak passphrases to be used safely. It also offers perfect forward secrecy, which protects past sessions and passwords against future compromises. Finally, user passwords are stored in a form that is not plaintext-equivalent to the password itself, so an attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host. This new protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and offers significantly improved performance over comparably strong extended methods that resist stolen-verifier attacks such as Augmented EKE or B-SPEKE. ----------------------------------------------------------------------------- http://srp.stanford.edu/srp/advantages.html ----------------------------------------------------------------------------- Advantages and Benefits of SRP Although SRP's main claim to fame is its improved security relative to existing password authentication mechanisms, SRP actually offers advantages in several other areas as well. First, though, we discuss the security implications. _________________________________________________________________ Security Advantages In a nutshell, here are some of the properties that make SRP a strong authentication protocol: 1. SRP is safe against snooping. The password is never passed over the network, either in the clear or encrypted. 2. SRP is immune to replay attacks. None of the information exchanged during authentication can be re-used to gain access to a server using SRP. 3. SRP exchanges a session key in the process of authentication. This key can be used to encrypt the user's login session and protect it from both snooping and malicious active attack. 4. SRP can provide mutual authentication. This requires both sides to keep their secrets secure, obviously. 5. SRP resists the dreaded off-line dictionary attack based on exchanged messages. The traffic exchanged over the network is insufficient to verify a guess of a user's password. 6. SRP offers perfect forward secrecy. A compromised password will not allow an intruder to decrypt past sessions. A compromised session key will not allow an intruder to find out a password. This includes resistance to the infamous Denning-Sacco attack; a compromised session key will not permit an attacker to mount a dictionary attack against the password. 7. SRP can tolerate a compromise of the verifier database on the host. Although such a compromise may enable some attacks against the system (dictionary attack, host impersonation), it is not necessarily catastrophic, because the password entries can only be used for verification of a user's password (i.e. they are not plaintext-equivalent to the actual passwords). They can not be used by an intruder to gain direct access to a host. The last three issues are what I call the "Big-3" of password authentication, and they are discussed in greater detail on a [1]separate page. They are, as a rule, difficult constraints to satisfy. If one considers only protocols that resist dictionary attacks (the first constraint), one is left with the EKE family of protocols and a few other public-key assisted protocols. If one also requires perfect forward secrecy, that leaves only the strongest of the EKE family protocols, like DH-EKE and SPEKE. When one throws in the final requirement for non plaintext-equivalence, one is left finally with the null set. Until now, that is. SRP has been demonstrated to satisfy all three of the "Big-3" requirements. To date, protocols that satisfy even two of the three requirements are considered rare, especially if non-plaintext-equivalence is one of the two. SRP's security advantages make it uniquely suited for use in a wide variety of environments, especially those where vulnerability to any one of the "Big-3" attacks would have been problematic. In a nutshell, SRP-3 is the "right" way to do password authentication. All other known direct authentication mechanisms are demonstratably inferior to it, either by being less secure, less convenient, or slower. It gives the maximum possible security obtainable with a simple password, and it can be easily layered on top of other security services to create a more bulletproof security model. _________________________________________________________________ Technical Advantages Aside from purely security-related benefits, SRP has a number of technical and practical advantages that make it an versatile protocol. 1. SRP is a fairly simple protocol. SRP involves little more than exponentiation, addition, multiplication, and hashing, all of which are easily understood and implemented. 2. SRP is fast. It is a commonly accepted article of faith that strong authentication protocols must perform some form of slow public-key computation during authentication. SRP runs as quickly as a conventional, anonymous Diffie-Hellman key exchange, and many of the optimizations that work with D-H can be applied to SRP, e.g. parallelizing operations to minimize user-visible delay. Typical unoptimized implementations have been shown to take under a second to complete authentication. 3. SRP is easy to standardize, implement, and debug. Since SRP is based on a set of simple operations, it is fairly easy to find existing code that performs the component functions and integrate it into any client application. Also, since SRP is fairly economical with respect to network traffic, it is fairly easy to specify and standardize for widespread use. The messages are all easy to characterize and are fairly specific in nature. Practical prototypes of networked utilities that support SRP have already been built and tested. Because of SRP's relative simplicity, the prototypes have proven to be robust and fairly bug-free, not to mention fast. SRP is at or near the most of the theoretical limits of strong authentication protocols. It is believed that three messages is the absolute minimum number of messages required for strong authentication; SRP uses four (not counting the identity and parameter messages in either case), but the last one is required only if mutual authentication is desired. An SRP API library consisting of simple file and session manipulation primitives has been written, and the current prototypes have been built using it. SRP lends itself readily to small implementations and short, compact technical specifications. Internet drafts for the Telnet and FTP protocol extensions have already been written. Organizations and standards bodies should find SRP fairly easy to adopt and integrate into existing specifications and code. _________________________________________________________________ Political Advantages While the security of a protocol should be the primary concern of anyone who is considering its use, legal and policy issues should not be overlooked. In this area, SRP also has some appealing advantages for potential users. 1. SRP is free for non-commercial use. As the inventor of SRP, I have decided to make it free for all non-commercial implementations. Most of the other strong protocols discussed previously are protected by patents held by various large corporations, most of whom are more interested in collecting license fees than encouraging the spread of strong password authentication. 2. SRP does not use encryption to perform authentication. This is an important distinction in SRP's favor. While protocols in the EKE family, for example, depend on symmetric ciphers, SRP requires only modular arithmetic and one-way hash functions. Since no encryption is employed, SRP is not affected by U.S. export regulations and can be freely transferred in and out of the U.S. 3. SRP does not use RSA or any other RSADSI intellectual property. In fact, SRP does not use any public-key cryptosystems or digital signature schemes at all. It is based entirely on arithmetic and hashing, both of which can be done with freely-available code and algorithms. Thus, entirely free implementations of SRP can and have been written. Patents, trademarks, and export regulations have all conspired to make the creation and distribution of cryptographic products more difficult than they should be. SRP is my attempt at opening up access to secure password authentication systems and allowing them to become more widespread. A simple, secure authentication mechanism that is clear of RSADSI intellectual property, not export regulated by the U.S. Commerce Department, and free for non-commercial use would be ideal for free software makers, who have long been at a disadvantage relative to large companies who could generally afford the steep licensing fees and the overhead of obtaining export approval. _________________________________________________________________ [2]Back References 1. http://srp.stanford.edu/srp/issues.html 2. http://srp.stanford.edu/srp/index.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:47 PDT