added RFC for srp protocol

1 files changed, 451 insertions, 0 deletions

diff --git a/doc/protocol/rfc2945.txt b/doc/protocol/rfc2945.txt
new file mode 100644
index 0000000000..983c441c35
--- /dev/null
+++ b/doc/protocol/rfc2945.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                              T. Wu
+Request for Comments: 2945                           Stanford University
+Category: Standards Track                                 September 2000
+
+
+             The SRP Authentication and Key Exchange System
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document describes a cryptographically strong network
+   authentication mechanism known as the Secure Remote Password (SRP)
+   protocol.  This mechanism is suitable for negotiating secure
+   connections using a user-supplied password, while eliminating the
+   security problems traditionally associated with reusable passwords.
+   This system also performs a secure key exchange in the process of
+   authentication, allowing security layers (privacy and/or integrity
+   protection) to be enabled during the session.  Trusted key servers
+   and certificate infrastructures are not required, and clients are not
+   required to store or manage any long-term keys.  SRP offers both
+   security and deployment advantages over existing challenge-response
+   techniques, making it an ideal drop-in replacement where secure
+   password authentication is needed.
+
+1. Introduction
+
+   The lack of a secure authentication mechanism that is also easy to
+   use has been a long-standing problem with the vast majority of
+   Internet protocols currently in use.  The problem is two-fold: Users
+   like to use passwords that they can remember, but most password-based
+   authentication systems offer little protection against even passive
+   attackers, especially if weak and easily-guessed passwords are used.
+
+   Eavesdropping on a TCP/IP network can be carried out very easily and
+   very effectively against protocols that transmit passwords in the
+   clear.  Even so-called "challenge-response" techniques like the one
+   described in [RFC 2095] and [RFC 1760], which are designed to defeat
+
+
+
+Wu                          Standards Track                     [Page 1]
+
+RFC 2945        SRP Authentication & Key Exchange System  September 2000
+
+
+   simple sniffing attacks, can be compromised by what is known as a
+   "dictionary attack".  This occurs when an attacker captures the
+   messages exchanged during a legitimate run of the protocol and uses
+   that information to verify a series of guessed passwords taken from a
+   precompiled "dictionary" of common passwords.  This works because
+   users often choose simple, easy-to-remember passwords, which
+   invariably are also easy to guess.
+
+   Many existing mechanisms also require the password database on the
+   host to be kept secret because the password P or some private hash
+   h(P) is stored there and would compromise security if revealed.  That
+   approach often degenerates into "security through obscurity" and goes
+   against the UNIX convention of keeping a "public" password file whose
+   contents can be revealed without destroying system security.
+
+   SRP meets the strictest requirements laid down in [RFC 1704] for a
+   non-disclosing authentication protocol.  It offers complete
+   protection against both passive and active attacks, and accomplishes
+   this efficiently using a single Diffie-Hellman-style round of
+   computation, making it feasible to use in both interactive and non-
+   interactive authentication for a wide range of Internet protocols.
+   Since it retains its security when used with low-entropy passwords,
+   it can be seamlessly integrated into existing user applications.
+
+2. Conventions and Terminology
+
+   The protocol described by this document is sometimes referred to as
+   "SRP-3" for historical purposes.  This particular protocol is
+   described in [SRP] and is believed to have very good logical and
+   cryptographic resistance to both eavesdropping and active attacks.
+
+   This document does not attempt to describe SRP in the context of any
+   particular Internet protocol; instead it describes an abstract
+   protocol that can be easily fitted to a particular application.  For
+   example, the specific format of messages (including padding) is not
+   specified.  Those issues have been left to the protocol implementor
+   to decide.
+
+   The one implementation issue worth specifying here is the mapping
+   between strings and integers.  Internet protocols are byte-oriented,
+   while SRP performs algebraic operations on its messages, so it is
+   logical to define at least one method by which integers can be
+   converted into a string of bytes and vice versa.
+
+   An n-byte string S can be converted to an integer as follows:
+
+   i = S[n-1] + 256 * S[n-2] + 256^2 * S[n-3] + ... + 256^(n-1) * S[0]
+
+
+
+
+Wu                          Standards Track                     [Page 2]
+
+RFC 2945        SRP Authentication & Key Exchange System  September 2000
+
+
+   where i is the integer and S[x] is the value of the x'th byte of S.
+   In human terms, the string of bytes is the integer expressed in base
+   256, with the most significant digit first.  When converting back to
+   a string, S[0] must be non-zero (padding is considered to be a
+   separate, independent process).  This conversion method is suitable
+   for file storage, in-memory representation, and network transmission
+   of large integer values.  Unless otherwise specified, this mapping
+   will be assumed.
+
+   If implementations require padding a string that represents an
+   integer value, it is recommended that they use zero bytes and add
+   them to the beginning of the string.  The conversion back to integer
+   automatically discards leading zero bytes, making this padding scheme
+   less prone to error.
+
+   The SHA hash function, when used in this document, refers to the
+   SHA-1 message digest algorithm described in [SHA1].
+
+3. The SRP-SHA1 mechanism
+
+   This section describes an implementation of the SRP authentication
+   and key-exchange protocol that employs the SHA hash function to
+   generate session keys and authentication proofs.
+
+   The host stores user passwords as triplets of the form
+
+        { <username>, <password verifier>, <salt> }
+
+   Password entries are generated as follows:
+
+        <salt> = random()
+        x = SHA(<salt> | SHA(<username> | ":" | <raw password>))
+        <password verifier> = v = g^x % N
+
+   The | symbol indicates string concatenation, the ^ operator is the
+   exponentiation operation, and the % operator is the integer remainder
+   operation.  Most implementations perform the exponentiation and
+   remainder in a single stage to avoid generating unwieldy intermediate
+   results.  Note that the 160-bit output of SHA is implicitly converted
+   to an integer before it is operated upon.
+
+   Authentication is generally initiated by the client.
+
+      Client                             Host
+     --------                           ------
+      U = <username>              -->
+                                     <--    s = <salt from passwd file>
+
+
+
+
+Wu                          Standards Track                     [Page 3]
+
+RFC 2945        SRP Authentication & Key Exchange System  September 2000
+
+
+   Upon identifying himself to the host, the client will receive the
+   salt stored on the host under his username.
+
+      a = random()
+      A = g^a % N                 -->
+                                         v = <stored password verifier>
+                                         b = random()
+                                  <--    B = (v + g^b) % N
+
+      p = <raw password>
+      x = SHA(s | SHA(U | ":" | p))
+
+      S = (B - g^x) ^ (a + u * x) % N    S = (A * v^u) ^ b % N
+      K = SHA_Interleave(S)              K = SHA_Interleave(S)
+      (this function is described
+       in the next section)
+
+   The client generates a random number, raises g to that power modulo
+   the field prime, and sends the result to the host.  The host does the
+   same thing and also adds the public verifier before sending it to the
+   client.  Both sides then construct the shared session key based on
+   the respective formulae.
+
+   The parameter u is a 32-bit unsigned integer which takes its value
+   from the first 32 bits of the SHA1 hash of B, MSB first.
+
+   The client MUST abort authentication if B % N is zero.
+
+   The host MUST abort the authentication attempt if A % N is zero.  The
+   host MUST send B after receiving A from the client, never before.
+
+   At this point, the client and server should have a common session key
+   that is secure (i.e. not known to an outside party).  To finish
+   authentication, they must prove to each other that their keys are
+   identical.
+
+        M = H(H(N) XOR H(g) | H(U) | s | A | B | K)
+                                    -->
+                                    <--    H(A | M | K)
+
+   The server will calculate M using its own K and compare it against
+   the client's response.  If they do not match, the server MUST abort
+   and signal an error before it attempts to answer the client's
+   challenge.  Not doing so could compromise the security of the user's
+   password.
+
+
+
+
+
+
+Wu                          Standards Track                     [Page 4]
+
+RFC 2945        SRP Authentication & Key Exchange System  September 2000
+
+
+   If the server receives a correct response, it issues its own proof to
+   the client.  The client will compute the expected response using its
+   own K to verify the authenticity of the server.  If the client
+   responded correctly, the server MUST respond with its hash value.
+
+   The transactions in this protocol description do not necessarily have
+   a one-to-one correspondence with actual protocol messages.  This
+   description is only intended to illustrate the relationships between
+   the different parameters and how they are computed.  It is possible,
+   for example, for an implementation of the SRP-SHA1 mechanism to
+   consolidate some of the flows as follows:
+
+        Client                             Host
+       --------                           ------
+        U, A                        -->
+                                    <--    s, B
+        H(H(N) XOR H(g) | H(U) | s | A | B | K)
+                                    -->
+                                    <--    H(A | M | K)
+
+   The values of N and g used in this protocol must be agreed upon by
+   the two parties in question.  They can be set in advance, or the host
+   can supply them to the client.  In the latter case, the host should
+   send the parameters in the first message along with the salt.  For
+   maximum security, N should be a safe prime (i.e. a number of the form
+   N = 2q + 1, where q is also prime).  Also, g should be a generator
+   modulo N (see [SRP] for details), which means that for any X where 0
+   < X < N, there exists a value x for which g^x % N == X.
+
+3.1.  Interleaved SHA
+
+   The SHA_Interleave function used in SRP-SHA1 is used to generate a
+   session key that is twice as long as the 160-bit output of SHA1.  To
+   compute this function, remove all leading zero bytes from the input.
+   If the length of the resulting string is odd, also remove the first
+   byte.  Call the resulting string T.  Extract the even-numbered bytes
+   into a string E and the odd-numbered bytes into a string F, i.e.
+
+     E = T[0] | T[2] | T[4] | ...
+     F = T[1] | T[3] | T[5] | ...
+
+   Both E and F should be exactly half the length of T.  Hash each one
+   with regular SHA1, i.e.
+
+     G = SHA(E)
+     H = SHA(F)
+
+
+
+
+
+Wu                          Standards Track                     [Page 5]
+
+RFC 2945        SRP Authentication & Key Exchange System  September 2000
+
+
+   Interleave the two hashes back together to form the output, i.e.
+
+     result = G[0] | H[0] | G[1] | H[1] | ... | G[19] | H[19]
+
+   The result will be 40 bytes (320 bits) long.
+
+3.2.  Other Hash Algorithms
+
+   SRP can be used with hash functions other than SHA.  If the hash
+   function produces an output of a different length than SHA (20
+   bytes), it may change the length of some of the messages in the
+   protocol, but the fundamental operation will be unaffected.
+
+   Earlier versions of the SRP mechanism used the MD5 hash function,
+   described in [RFC 1321].  Keyed hash transforms are also recommended
+   for use with SRP; one possible construction uses HMAC [RFC 2104],
+   using K to key the hash in each direction instead of concatenating it
+   with the other parameters.
+
+   Any hash function used with SRP should produce an output of at least
+   16 bytes and have the property that small changes in the input cause
+   significant nonlinear changes in the output.  [SRP] covers these
+   issues in more depth.
+
+4. Security Considerations
+
+   This entire memo discusses an authentication and key-exchange system
+   that protects passwords and exchanges keys across an untrusted
+   network.  This system improves security by eliminating the need to
+   send cleartext passwords over the network and by enabling encryption
+   through its secure key-exchange mechanism.
+
+   The private values for a and b correspond roughly to the private
+   values in a Diffie-Hellman exchange and have similar constraints of
+   length and entropy.  Implementations may choose to increase the
+   length of the parameter u, as long as both client and server agree,
+   but it is not recommended that it be shorter than 32 bits.
+
+   SRP has been designed not only to counter the threat of casual
+   password-sniffing, but also to prevent a determined attacker equipped
+   with a dictionary of passwords from guessing at passwords using
+   captured network traffic.  The SRP protocol itself also resists
+   active network attacks, and implementations can use the securely
+   exchanged keys to protect the session against hijacking and provide
+   confidentiality.
+
+
+
+
+
+
+Wu                          Standards Track                     [Page 6]
+
+RFC 2945        SRP Authentication & Key Exchange System  September 2000
+
+
+   SRP also has the added advantage of permitting the host to store
+   passwords in a form that is not directly useful to an attacker.  Even
+   if the host's password database were publicly revealed, the attacker
+   would still need an expensive dictionary search to obtain any
+   passwords.  The exponential computation required to validate a guess
+   in this case is much more time-consuming than the hash currently used
+   by most UNIX systems.  Hosts are still advised, though, to try their
+   best to keep their password files secure.
+
+5. References
+
+   [RFC 1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+               April 1992.
+
+   [RFC 1704]  Haller, N. and R. Atkinson, "On Internet Authentication",
+               RFC 1704, October 1994.
+
+   [RFC 1760]  Haller, N., "The S/Key One-Time Password System", RFC
+               1760, Feburary 1995.
+
+   [RFC 2095]  Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP
+               AUTHorize Extension for Simple Challenge/Response", RFC
+               2095, January 1997.
+
+   [RFC 2104]  Krawczyk, H., Bellare, M. and  R. Canetti, "HMAC: Keyed-
+               Hashing for Message Authentication", RFC 2104, February
+               1997.
+
+   [SHA1]      National Institute of Standards and Technology (NIST),
+               "Announcing the Secure Hash Standard", FIPS 180-1, U.S.
+               Department of Commerce, April 1995.
+
+   [SRP]       T. Wu, "The Secure Remote Password Protocol", In
+               Proceedings of the 1998 Internet Society Symposium on
+               Network and Distributed Systems Security, San Diego, CA,
+               pp. 97-111.
+
+6. Author's Address
+
+   Thomas Wu
+   Stanford University
+   Stanford, CA 94305
+
+   EMail: tjw@cs.Stanford.EDU
+
+
+
+
+
+
+
+Wu                          Standards Track                     [Page 7]
+
+RFC 2945        SRP Authentication & Key Exchange System  September 2000
+
+
+7.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wu                          Standards Track                     [Page 8]
+