1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
\chapter{Authentication methods}
\par
The following authentication schemas are supported in \gnutls:
\begin{enumerate}
\item Certificate authentication
\item Anonymous authentication
\item SRP authentication
\end{enumerate}
% x.509 section
\input{x509}
\begin{figure}[hbtp]
\begin{tabular}{|l|p{9cm}|}
\hline
RSA & The RSA algorithm is used to encrypt a key and send it to the peer.
The certificate must allow the key to be used for encryption.
\\
\hline
DHE\_RSA & The RSA algorithm is used to sign Ephemeral Diffie Hellman
parameters which are sent to the peer. The key in the certificate must allow
the key to be used for signing. Note that key exchange algorithms which use
Ephemeral Diffie Hellman parameters, offer perfect forward secrecy.
\\
\hline
DHE\_DSS & The DSS\footnote{DSS stands for Digital Signature Standard} algorithm is used to sign Ephemeral Diffie Hellman
parameters which are sent to the peer.
\\
\hline
\end{tabular}
\caption{Key exchange algorithms for OpenPGP and X.509 certificates.}
\label{fig:cert}
\end{figure}
% openpgp section
\input{openpgp}
\section{Anonymous authentication\index{Anonymous authentication}}
The anonymous key exchange perform encryption but there is no indication of
the identity of the peer. This kind of authentication is vulnerable to a
man in the middle attack,
but this protocol can be used even if there is no prior communication or common trusted
parties with the peer. Unless really required, do not use anonymous authentication.
Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:anon}.
\begin{figure}[hbtp]
\begin{tabular}{|l|p{9cm}|}
\hline
ANON\_DH & This algorithm exchanges Diffie Hellman parameters.
\\
\hline
\end{tabular}
\caption{Supported anonymous key exchange algorithms}
\label{fig:anon}
\end{figure}
\section{Authentication using SRP\index{SRP authentication}}
Authentication using the SRP\footnote{SRP stands for Secure Password Protocol and
is described in RFC2945. The SRP key exchange is not a part of the \tlsI{} protocol}
is actually password authentication, since the two peers are identified by the knowledge of a password.
This protocol also offers protection against off-line attacks, such as password
file stealing.
This is achieved since SRP does not use the plain password to perform authentication, but something called a
verifier. The verifier is $g^{x}mod(n)$ and $x$ is a value calculated
from the username and the password.
\par SRP is normaly used with a SHA based hash function, to calculate
the value of $x$. In \gnutls{} in addition to original SHA hash function,
a hash function based on blowfish crypt is also supported. The blowfish
crypt function has the property of variable complexity, thus the
verifier may resist future attacks based on computational power, by just increasing
the complexity of the function ---also called ``the cost''.
\par The advantage of SRP authentication, over other proposed secure password
authentication schemas, is that SRP does not require the server to hold
the user's password. This kind of protection is similar to the one used traditionaly
in the \emph{UNIX} ``passwd'' file, where the contents of this file did not cause
harm to the system security if they were revealed.
\par
Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:srp}.
\begin{figure}[hbtp]
\begin{tabular}{|l|p{9cm}|}
\hline
SRP & Authentication using the SRP protocol.
\\
\hline
\end{tabular}
\caption{Supported SRP key exchange algorithms}
\label{fig:srp}
\end{figure}
\subsection{The included ``srpcrypt'' program}
The ``gnutls-srpcrypt'' is a very simple program that emulates the programs in the libsrp
found in \htmladdnormallink{http://srp.stanford.edu}{http://srp.stanford.edu}.
It is intended for use in places where you don't expect srp
authentication to be the performed for system users.
Traditionaly libsrp used two files. One called 'tpasswd' which holds usernames
and verifiers, and 'tpasswd.conf' which holds generators and primes.
\par
How to use srpcrypt:
\begin{itemize}
\item To create tpasswd.conf which holds the g and n values for
SRP protocol (generator and a large prime), run:
\begin{verbatim}
$ gnutls-srpcrypt --create-conf /etc/tpasswd.conf
\end{verbatim}
\item This command will create /etc/tpasswd and will add user 'test' (you will also
be prompted for a password). Verifiers are stored by default in the
way libsrp expects (using a modified SHA()). However using this tool you
may also specify blowfish crypt instead of SHA (see --crypt parameter).
\begin{verbatim}
$ gnutls-srpcrypt --passwd /etc/tpasswd \
--passwd-conf /etc/tpasswd.conf -u test
\end{verbatim}
\item This command will check against a password. If the password matches
the one in /etc/tpasswd you will get an ok.
\begin{verbatim}
$ gnutls-srpcrypt --passwd /etc/tpasswd \
--passwd-conf /etc/tpasswd.conf --verify -u test
\end{verbatim}
\end{itemize}
|
