diff options
Diffstat (limited to 'doc/protocol/draft-ietf-tls-srp-00.txt')
-rw-r--r-- | doc/protocol/draft-ietf-tls-srp-00.txt | 504 |
1 files changed, 0 insertions, 504 deletions
diff --git a/doc/protocol/draft-ietf-tls-srp-00.txt b/doc/protocol/draft-ietf-tls-srp-00.txt deleted file mode 100644 index 814b9205e7..0000000000 --- a/doc/protocol/draft-ietf-tls-srp-00.txt +++ /dev/null @@ -1,504 +0,0 @@ - - -Network Working Group D. Taylor -Internet-Draft Forge Research Pty Ltd -Expires: August 6, 2001 February 5, 2001 - - - Using SRP for TLS Authentication - draft-ietf-tls-srp-00.txt - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other documents - at any time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on August 6, 2001. - -Copyright Notice - - Copyright (C) The Internet Society (2001). All Rights Reserved. - -Abstract - - This memo presents a technique for using the SRP (Secure Remote - Password) protocol as an authentication method for the TLS - (Transport Layer Security) protocol. - - - - - - - - - - - - -Taylor Expires August 6, 2001 [Page 1] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - -1. Introduction - - At the time of writing, TLS[1] uses public key certificiates with - RSA/DSA digital signatures, or Kerberos, for authentication. - - These authentication methods do not seem well suited to the - applications now being adapted to use TLS (IMAP[3], FTP[4], or - TELNET[5], for example). Given these protocols (and others like - them) are designed to use the user name and password method of - authentication, being able to use user names and passwords to - authenticate the TLS connection seems to be a useful feature. - - SRP[2] is an authentication method that allows the use of user names - and passwords in a safe manner. - - This document describes the use of the SRP authentication method for - TLS. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Taylor Expires August 6, 2001 [Page 2] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - -2. SRP Authentication in TLS - -2.1 Modifications to the TLS Handshake Sequence - - The SRP protocol can not be implemented using the sequence of - handshake messages defined in [1] due to the sequence in which the - SRP messages must be sent. - - This document proposes a new sequence of handshake messages for - handshakes using the SRP authentication method. - -2.1.1 Message Sequence - - Handshake Message Flow for SRP Authentication - - Client Server - | | - Client Hello (U) ------------------------> | - | <---------------------------- Server Hello - | <---------------------------- Server Key Exchange (g, N, s) - Client Key Exchange (A) -----------------> | - | <---------------------------- Server Key Exchange (B) - | <---------------------------- Server Hello Done - change cipher spec | - Finished --------------------------------> | - | change cipher spec - | <---------------------------- Finished - | | - - The identifiers given after each message name refer to variables - defined in [2] that are sent in that message. - - This new handshake sequence has a number of differences from the - standard TLS handshake sequence: - - o The client hello message has the user name appended to the - message. This is allowable as stated in section 7.4.1.2 of [1]. - - o The client cannot generate its its public key (A) until after it - has received the (g) and (N) paramters from the server, and the - client must send its public key before it receives the servers - public key (B) (as stated in section 3 of [2]). This means the - client must wait for a server key exchange message containing (g) - and (N), send a client key exchange message containing (A), and - then wait for another server key exchange message containing (B). - - o There is no server identification in this version of a TLS - handshake. If an attacker gets the SRP password file, they can - masquerade as the real system. - - -Taylor Expires August 6, 2001 [Page 3] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - -2.2 Changes to the Handshake Message Contents - - This section describes the changes to the TLS handshake message - contents when SRP is being used for authentication. The details of - the on-the-wire changes are given in Section 2.5. - -2.2.1 The Client Hello Message - - The user name is appended to the standard client hello message. The - extra data is included in the handshake message hashes. - -2.2.2 The First Server Key Exchange Message - - The server key exchange message in the first round contains the - generator (g), the prime (N), and the salt value (s) read from the - SRP password file. - -2.2.3 The Client Key Exchange Message - - The client key exchange message carries the clients public key (A), - which is calculated using both information known locally, and - information received in the first server key exchange message. This - message MUST be sent between the first and second server key - exchange messages. - -2.2.4 The Second Server Key Exchange Message - - The server key exchange message in the second round contains the - servers public key (B). - -2.3 Calculating the Pre-master Secret - - The shared secret resulting from the SRP calculations (S) is used as - the pre-master secret. - - The finished messages perform the same function as the client and - server evidence messages specified in [2]. If either the client or - the server calculate an incorrect value, the finished messages will - not be understood, and the connection will be dropped as specified - in [1]. - -2.4 Cipher Suite Definitions - - The following cipher suites are added by this draft. The numbers - have been left blank until a suitable range has been selected. - - CipherSuite TLS_SRP_WITH_3DES_EDE_CBC_SHA = { ?,? }; - - CipherSuite TLS_SRP_WITH_RC4_128_SHA = { ?,? }; - - -Taylor Expires August 6, 2001 [Page 4] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - - CipherSuite TLS_SRP_WITH_IDEA_CBC_SHA = { ?,? }; - - CipherSuite TLS_SRP_WITH_3DES_EDE_CBC_MD5 = { ?,? }; - - CipherSuite TLS_SRP_WITH_RC4_128_MD5 = { ?,? }; - - CipherSuite TLS_SRP_WITH_IDEA_CBC_MD5 = { ?,? }; - -2.5 New Message Structures - - This section shows the structure of the messages passed during a - handshake that uses SRP for authentication. The representation - language used is that used in [1]. - - opaque Username<1..2^8-1>; - - enum { non_srp, srp } CipherSuiteType; - - struct { - ProtocolVersion client_version; - Random random; - SessionID session_id; - CipherSuite cipher_suites<2..2^16-1>; - - /* Need a better way to show the optional user_name field */ - select (CipherSuiteType) { - case non_srp: - CompressionMethod compression_methods<1..2^8-1>; - case srp: - CompressionMethod compression_methods<1..2^8-1>; - Username user_name; /* new entry */ - }; - } ClientHello; - - enum { rsa, diffie_hellman, srp } KeyExchangeAlgorithm; - - enum { first, second } KeyExchangeRound; - - struct { - select (KeyExchangeRound) { - case first: - opaque srp_s<1..2^8-1> - opaque srp_N<1..2^16-1>; - opaque srp_g<1..2^16-1>; - case second: - opaque srp_B<1..2^16-1>; - }; - } ServerSRPParams; /* SRP parameters */ - - - -Taylor Expires August 6, 2001 [Page 5] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - - struct { - select (KeyExchangeAlgorithm) { - case diffie_hellman: - ServerDHParams params; - Signature signed_params; - case rsa: - ServerRSAParams params; - Signature signed_params; - case srp: - ServerSRPParams params; /* new entry */ - }; - } ServerKeyExchange; - - struct { - opaque srp_A<1..2^16-1>; - } SRPClientEphemeralPublic; - - struct { - select (KeyExchangeAlgorithm) { - case rsa: EncryptedPreMasterSecret; - case diffie_hellman: ClientDiffieHellmanPublic; - case srp: SRPClientEphemeralPublic; /* new entry */ - } exchange_keys; - } ClientKeyExchange; - - - - - - - - - - - - - - - - - - - - - - - - - - - -Taylor Expires August 6, 2001 [Page 6] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - -3. Security Considerations - - There is no server identification in this version of a TLS - handshake. If an attacker gets the SRP password file, they can - masquerade as the real system. - - What are the security issues of this new handshake sequence? Are the - SRP parameters passed in a safe order? Is it a problem having the - username appended to the client hello message? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Taylor Expires August 6, 2001 [Page 7] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - -References - - [1] Dierks, T. and C. Allen, "The TLS Protocol", RFC 2246, January - 1999. - - [2] Wu, T., "The SRP Authentication and Key Exchange System", RFC - 2945, September 2000. - - [3] Newman, C., "Using TLS with IMAP, POP3 and ACAP", RFC 2595, - June 1999. - - [4] Ford-Hutchinson, P., Carpenter, M., Hudson, T., Murray, E. and - V. Wiegand, "Securing FTP with TLS", - draft-murray-auth-ftp-ssl-06 (work in progress), September 2000. - - [5] Boe, M. and J. Altman, "TLS-based Telnet Security", - draft-ietf-tn3270e-telnet-tls-05 (work in progress), October - 2000. - - -Author's Address - - David Taylor - Forge Research Pty Ltd - - EMail: DavidTaylor@forge.com.au - URI: http://www.protekt.com/ - - - - - - - - - - - - - - - - - - - - - - - - -Taylor Expires August 6, 2001 [Page 8] - -Internet-Draft Using SRP for TLS Authentication February 2001 - - -Full Copyright Statement - - Copyright (C) The Internet Society (2001). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph - are included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Taylor Expires August 6, 2001 [Page 9] - |