Secure Remote Protocol

SRP


What is SRP?

The Secure Remote Password (SRP) Protocol is an augmented Password-Authentication Key Agreement (PAKE) protocol, this means that two (or more) parties interactively establish cryptographic keys based on one party's knowledge of a password.

The Client is the only one knowing the password and the Server does not store any password-equivalent data, so if the data stored on the Server is compromised then it is not possible for the attacker to directly masquerade as the client. Man-in-the-middle attacks or eavesdroppers does not work on the protocol because they cannot obtain enough information to bruteforce the password without interaction with the server for each guess.

Since an attacker have to interact with the server on every guess for the password the Server can take extra counter measurements in order to ensure that the attacker cannot bruteforce the system. Strong security can therefore be achieved by using a relatively weak password. When the protocol is completed the Client has authenticated itself to the server, without sharing or showing the password.

Safeguards

On both the server and the client safeguards must be implemented in order to handle errors and abort the protocol. The server will abort if it receives an A value from the client where A == 0 or A mod(N) == 0, similarly will the client abort if it receives a B value from the server where B == 0 or B mod(N) == 0, or if the calculation of u = Hash(A,B) is equal to 0 (u == 0).

According to the Stanford SRP protocol design another safeguard should be implemented, where the client must show his proof of K first. If the server detects that the client's proof is incorrect, it must abort without showing its own proof of K. This is done by first generating and sending M1 from the Client to the Server, upon reception the Server will match it's own calculated M1 with the one received from the Client, if they are unequal the proof if K is incorrect and the server will abort. If the two M1 values match then the server generates M2 = Hash(A, M1, K) and sends it to the Client for verification. The Client calculates its own M2 and matches it to the M2 received from the Server if they are unequal the Client abort otherwise the proof of K is completed.

The protocol

Protocol flow

The flow of the SRP protocol including calculations and communication is shown below in figure 1.


Figure 1 - The SRP protocol flow

One of the reasons why this protocol works is because the session key S, is computed on the Client and the Server and can be derived to the same even though they are computed differently by the two parties.

The RFC 5054 [1] specify that the hash-function used in SRP protocol should be SHA-1, but the computation power has increased since the RFC 5054 was written in 2007. The SHA-1 hash-function was published in 1995, and is now deprecated and it is highly recommended to use a better hash-function e.g. SHA-256. Due to these factors, the increase in computational power ant the deprecation at least the SHA-2 hash-function should be used.

For the protocol to be safe the values used in the protocol have to be sufficiently large. In Appendix A and B of "Using the Secure Remote Password (SRP) Protocol for TLS Authentication" by Taylor, et al. [1] different examples are presented for different bit groups. It is recommended to use at least the 2048 bit-group.

Reference

[1] Taylor, et al., 2007, Using the Secure Remote Password (SRP) Protocol for TLS Authentication, IETF's RFC 5054, https://tools.ietf.org/html/rfc5054

Published November 2015

Links

SRP notation

In the explanation of the Secure Remote Password protocol the following notation is used.

  • N is a large safe prime (N=2q+1, where q is a prime)
  • g is a generator modulo N
  • H( ) is a one-way algorithmic Hash-function
  • k is a multiplier parameter (k = H(N,g))
  • s is the client's salt, a large random sequence
  • I is the username or userId
  • p is the user's password in clear text
  • u is a random scrambling parameter (u = H(A,B))
  • a and b is secret, random generated, short lasting number
  • A is a short lasting public value (A = ga)
  • B is a short lasting public value (A = kv+gb)
  • x is the private key derived from p and s (x = H(s,p))
  • v is the password verifier (v = gx)
  • S is the computed session key
  • M1 and M2 messages exchanged to verify correctness of K
  • K is the proof of the session key

Reperio | 8000 Aarhus | E-mail: info@reperio.dk | Copyright © 2015