| blob | f122ddd944f0039366cd3312fb580032dcaa4319 |
3 Network Working Group D. Taylor
4 Internet-Draft Forge Research Pty Ltd
5 Expires: December 28, 2001 June 29, 2001
8 Using SRP for TLS Authentication
9 draft-ietf-tls-srp-01
11 Status of this Memo
13 This document is an Internet-Draft and is in full conformance with
14 all provisions of Section 10 of RFC2026.
16 Internet-Drafts are working documents of the Internet Engineering
17 Task Force (IETF), its areas, and its working groups. Note that
18 other groups may also distribute working documents as Internet-
19 Drafts.
21 Internet-Drafts are draft documents valid for a maximum of six months
22 and may be updated, replaced, or obsoleted by other documents at any
23 time. It is inappropriate to use Internet-Drafts as reference
24 material or to cite them other than as "work in progress."
26 The list of current Internet-Drafts can be accessed at
27 http://www.ietf.org/ietf/1id-abstracts.txt.
29 The list of Internet-Draft Shadow Directories can be accessed at
30 http://www.ietf.org/shadow.html.
32 This Internet-Draft will expire on December 28, 2001.
34 Copyright Notice
36 Copyright (C) The Internet Society (2001). All Rights Reserved.
38 Abstract
40 This memo presents a technique for using the SRP (Secure Remote
41 Password) protocol as an authentication method for the TLS (Transport
42 Layer Security) protocol.
55 Taylor Expires December 28, 2001 [Page 1]
56 \f
57 Internet-Draft Using SRP for TLS Authentication June 2001
60 Table of Contents
62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
63 2. SRP Authentication in TLS . . . . . . . . . . . . . . . . . 4
64 2.1 Modifications to the TLS Handshake Sequence . . . . . . . . 4
65 2.1.1 Message Sequence . . . . . . . . . . . . . . . . . . . . . . 4
66 2.1.2 Session re-use . . . . . . . . . . . . . . . . . . . . . . . 4
67 2.2 SRP Verifier Message Digest Selection . . . . . . . . . . . 5
68 2.3 Changes to the Handshake Message Contents . . . . . . . . . 5
69 2.3.1 The Client Hello Message . . . . . . . . . . . . . . . . . . 6
70 2.3.2 The Server Hello Message . . . . . . . . . . . . . . . . . . 6
71 2.3.3 The Client Key Exchange Message . . . . . . . . . . . . . . 6
72 2.3.4 The Server Key Exchange Message . . . . . . . . . . . . . . 6
73 2.4 Calculating the Pre-master Secret . . . . . . . . . . . . . 6
74 2.5 Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 6
75 2.6 New Message Structures . . . . . . . . . . . . . . . . . . . 7
76 2.6.1 ExtensionType . . . . . . . . . . . . . . . . . . . . . . . 7
77 2.6.2 Client Hello . . . . . . . . . . . . . . . . . . . . . . . . 7
78 2.6.3 Server Hello . . . . . . . . . . . . . . . . . . . . . . . . 8
79 2.6.4 Client Key Exchange . . . . . . . . . . . . . . . . . . . . 8
80 2.6.5 Server Key Exchange . . . . . . . . . . . . . . . . . . . . 9
81 3. Security Considerations . . . . . . . . . . . . . . . . . . 10
82 References . . . . . . . . . . . . . . . . . . . . . . . . . 11
83 Author's Address . . . . . . . . . . . . . . . . . . . . . . 11
84 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
85 Full Copyright Statement . . . . . . . . . . . . . . . . . . 13
111 Taylor Expires December 28, 2001 [Page 2]
112 \f
113 Internet-Draft Using SRP for TLS Authentication June 2001
116 1. Introduction
118 At the time of writing, TLS [1] uses public key certificiates with
119 RSA/DSA digital signatures, or Kerberos, for authentication.
121 These authentication methods do not seem well suited to the
122 applications now being adapted to use TLS (IMAP [3], FTP [4], or
123 TELNET [5], for example). Given these protocols (and others like
124 them) are designed to use the user name and password method of
125 authentication, being able to use user names and passwords to
126 authenticate the TLS connection seems to be a useful feature.
128 SRP [2] is an authentication method that allows the use of user names
129 and passwords over unencrypted channels without revealing the
130 password to an eavesdropper. SRP also supplies a shared secret at
131 the end of the authetication sequence that can be used to generate
132 encryption keys.
134 This document describes the use of the SRP authentication method for
135 TLS.
167 Taylor Expires December 28, 2001 [Page 3]
168 \f
169 Internet-Draft Using SRP for TLS Authentication June 2001
172 2. SRP Authentication in TLS
174 2.1 Modifications to the TLS Handshake Sequence
176 The SRP protocol can not be implemented using the sequence of
177 handshake messages defined in [1] due to the sequence in which the
178 SRP messages must be sent.
180 This document proposes a new sequence of handshake messages for
181 handshakes using the SRP authentication method.
183 2.1.1 Message Sequence
185 Handshake Message Flow for SRP Authentication
187 Client Server
188 | |
189 Client Hello (U, mds)--------------------> |
190 | <---------------------------- Server Hello (md, g, N, s)
191 Client Key Exchange (A) -----------------> |
192 | <---------------------------- Server Key Exchange (B)
193 | <---------------------------- Server Hello Done
194 change cipher spec |
195 Finished --------------------------------> |
196 | change cipher spec
197 | <---------------------------- Finished
198 | |
200 The identifiers given after each message name refer to the SRP
201 variables included in that message. The variables are defined in
202 [2], except for (mds) and (md) which are defined in this document.
204 Extended client and server hello messages, as defined in [6], are
205 used to to send the initial client and server values.
207 The client key exchange message is sent during the sequence of server
208 messages. This modification is required because the client must send
209 its public key (A) before it receives the servers public key (B), as
210 stated in Section 3 of [2].
212 2.1.2 Session re-use
214 The short handshake mechanism for re-using sessions for new
215 connections, and renegotiating keys for existing connections will
216 still work with the SRP authentication mechanism and handshake.
218 When a client attemps to re-use a session that uses SRP
219 authentication, it MUST still include the SRP extension carrying the
223 Taylor Expires December 28, 2001 [Page 4]
224 \f
225 Internet-Draft Using SRP for TLS Authentication June 2001
228 user name (U) in the client hello message, in case the server cannot
229 or will not allow re-use of the session, meaning a full handshake
230 sequence is required.
232 If a client requests an existing session and the server agrees to use
233 it (meaning the short handshake will be used), the server MAY omit
234 the SRP extension from the server hello message, as the information
235 it contains is not used in the short handshake.
237 2.2 SRP Verifier Message Digest Selection
239 SRP uses a message digest algorithm when creating password verifiers,
240 and when performing calculations during authentication. At the time
241 of writing, SHA-1 is the only algorithm that has been defined for use
242 with SRP. However, there is no reason other message digest
243 algorithms cannot be used, and the handshake messages and extensions
244 defined by this draft include a message digest algorithm selection
245 mechanism.
247 The passwordMessageDigest enumerated, the srp_mds vector, and srp_md
248 value are used to determine which message digest alorithm is to be
249 used by the client when it is performing the SRP calculation. The
250 server determines which message digest algorithm to use based on the
251 list of message digest algorithms requested by the client, and the
252 list of available SRP verifiers known by the server.
254 The client sends a list of message digest algorithms it can use for
255 the SRP calculation using the srp_mds vector. The server MUST select
256 a message digest algorithm that is in the list supplied by the
257 client, and the server MUST have access to an SRP verifier calculated
258 with the selected message digest algorithm.
260 If the server has access to multiple SRP verifiers for the given user
261 (each calculated using a different message disgest algorithm), the
262 server may select whichever matching message digest algorithm it
263 chooses, so long as the selected message digest algorithm appears in
264 the list sent by the client.
266 If the server does not have an SRP verifier calculated with any of
267 the message digest algorithms suggested by the client, the server
268 must send a handshake failure alert.
270 2.3 Changes to the Handshake Message Contents
272 This section describes the changes to the TLS handshake message
273 contents when SRP is being used for authentication. The definitons
274 of the new message contents and the on-the-wire changes are given in
275 Section 2.6.
279 Taylor Expires December 28, 2001 [Page 5]
280 \f
281 Internet-Draft Using SRP for TLS Authentication June 2001
284 2.3.1 The Client Hello Message
286 The user name is appended to the standard client hello message using
287 the client hello extension mechanism defined in [6].
289 The list of message digests the client can use is also included.
290 This list represents all the message digests the client can use for
291 the SRP calculations.
293 2.3.2 The Server Hello Message
295 The message digest selected by the server (md), the generator (g),
296 the prime (N), and the salt value (s) read from the SRP password file
297 are appended to the server hello message using the client hello
298 extension mechanism defined in [6].
300 2.3.3 The Client Key Exchange Message
302 The client key exchange message carries the client's public key (A),
303 which is calculated using both information known locally, and
304 information received in the server hello message. This message MUST
305 be sent before the server key exchange message.
307 2.3.4 The Server Key Exchange Message
309 The server key exchange message contains the servers public key (B).
310 The server key exchange message MUST be sent after the client key
311 exchange message.
313 2.4 Calculating the Pre-master Secret
315 The shared secret resulting from the SRP calculations (S) (defined in
316 [2]) is used as the pre-master secret.
318 The finished messages perform the same function as the client and
319 server evidence messages specified in [2]. If either the client or
320 the server calculate an incorrect value, the finished messages will
321 not be understood, and the connection will be dropped as specified in
322 [1].
324 2.5 Cipher Suite Definitions
326 The following cipher suites are added by this draft. The numbers
327 have been selected based on other RFCs and Internet Drafts that were
328 current at the time of writing, so may need to be changed in future.
330 CipherSuite TLS_SRP_WITH_3DES_EDE_CBC_SHA = { 0x00,0x5B };
335 Taylor Expires December 28, 2001 [Page 6]
336 \f
337 Internet-Draft Using SRP for TLS Authentication June 2001
340 CipherSuite TLS_SRP_WITH_RC4_128_SHA = { 0x00,0x5C };
342 CipherSuite TLS_SRP_WITH_IDEA_CBC_SHA = { 0x00,0x5D };
344 CipherSuite TLS_SRP_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x5E };
346 CipherSuite TLS_SRP_WITH_RC4_128_MD5 = { 0x00,0x5F };
348 CipherSuite TLS_SRP_WITH_IDEA_CBC_MD5 = { 0x00,0x60 };
351 2.6 New Message Structures
353 This section shows the structure of the messages passed during a
354 handshake that uses SRP for authentication. The representation
355 language used is the same as that used in [1].
357 When encoding the numbers g, N, A, and B as opaque types, if the most
358 significant bit is set, an extra byte of value 0x00 (all bits
359 cleared) MUST be added as the most significant byte. This is done as
360 a safeguard against implementations that do not assume these numbers
361 are positive.
363 2.6.1 ExtensionType
365 A new value, "srp(6)", has been added to the enumerated
366 ExtensionType, defined in [6]. This value is used as the extension
367 number for the extensions in both the client hello message and the
368 server hello message. This value was chosen based on the version of
369 defined in [6] that was current at the time of writing, so may be
370 changed in future.
372 2.6.2 Client Hello
374 The user name (U) and a list of message digests (srp_mds) are encoded
375 in an SRPExtension structure, and sent in an extended client hello
376 message, using an extension of type "srp".
378 The list of message digests represents the list of message digests
379 the client can use for the SRP calculations.
391 Taylor Expires December 28, 2001 [Page 7]
392 \f
393 Internet-Draft Using SRP for TLS Authentication June 2001
396 enum { client, server } ClientOrServerExtension;
398 enum { sha-1(0), (255) } PasswordMessageDigest;
400 struct {
401 select(ClientOrServerExtension) {
402 case client:
403 opaque srp_U<1..2^8-1>;
404 PasswordMessageDigest srp_mds<1..2^8-1>;
405 case server:
406 PasswordMessageDigest srp_md;
407 opaque srp_s<1..2^8-1>
408 opaque srp_N<1..2^16-1>;
409 opaque srp_g<1..2^16-1>;
410 }
411 } SRPExtension;
414 2.6.3 Server Hello
416 The message digest selected by the server (md), the generator (g),
417 the prime (N), and the salt value (s) are encoded in an SRPExtension
418 structure, which is sent in an extended server hello message, using
419 an extension of type "srp".
421 The SRPParams structure is defined above.
423 2.6.4 Client Key Exchange
425 When the value of KeyExchangeAlgorithm is set to "srp", the client's
426 ephemeral public key (A) is sent in the client key exchange message,
427 encoded in an ClientSRPPublic structure.
429 An extra value, srp, has been added to the enumerated
430 KeyExchangeAlgorithm, originally defined in TLS [1].
447 Taylor Expires December 28, 2001 [Page 8]
448 \f
449 Internet-Draft Using SRP for TLS Authentication June 2001
452 struct {
453 select (KeyExchangeAlgorithm) {
454 case rsa: EncryptedPreMasterSecret;
455 case diffie_hellman: ClientDiffieHellmanPublic;
456 case srp: ClientSRPPublic; /* new entry */
457 } exchange_keys;
458 } ClientKeyExchange;
460 enum { rsa, diffie_hellman, srp } KeyExchangeAlgorithm;
462 struct {
463 opaque srp_A<1..2^16-1>;
464 } ClientSRPPublic;
467 2.6.5 Server Key Exchange
469 When the value of KeyExchangeAlgorithm is set to "srp", the server's
470 ephemeral public key (B) is sent in the server key exchange message,
471 encoded in an ServerSRPPublic structure.
473 struct {
474 select (KeyExchangeAlgorithm) {
475 case diffie_hellman:
476 ServerDHParams params;
477 Signature signed_params;
478 case rsa:
479 ServerRSAParams params;
480 Signature signed_params;
481 case srp:
482 ServerSRPPublic; /* new entry */
483 };
484 } ServerKeyExchange;
486 struct {
487 opaque srp_B<1..2^16-1>;
488 } ServerSRPPublic; /* SRP parameters */
503 Taylor Expires December 28, 2001 [Page 9]
504 \f
505 Internet-Draft Using SRP for TLS Authentication June 2001
508 3. Security Considerations
510 If an attacker is able to steal the SRP verifier file, the attacker
511 can masquerade as the real host. Filesystem based X.509 certificate
512 installations are vulnerable to a similar attack unless the servers
513 certificate is issued from a PKI that maintains revocation lists, and
514 the client TLS code can both contact the PKI and make use of the
515 revocation list.
517 Not all clients and servers will be able to interoperate once the
518 number of message digest algorithms used for creating password
519 verifiers is increased. For example, a client may only support SHA-
520 1, whereas the verifiers on the server were created with a different
521 message digest algoritm.
523 Because the initial handshake messages are unprotected, an attacker
524 can modify the list of message digests in the client hello message.
525 For example, an attacker could rewrite the message to remove all but
526 the weakest message digest. There is no way to know this has
527 happened until the finished messages are compared.
529 An attacker can also modify the server hello message to use a
530 different message digest than that selected by the server. If this
531 happens, the handshake will fail after the change cipher spec
532 messages are sent, as the client and server will have calculated
533 different pre-master secret vales.
559 Taylor Expires December 28, 2001 [Page 10]
560 \f
561 Internet-Draft Using SRP for TLS Authentication June 2001
564 References
566 [1] Dierks, T. and C. Allen, "The TLS Protocol", RFC 2246, January
567 1999.
569 [2] Wu, T., "The SRP Authentication and Key Exchange System", RFC
570 2945, September 2000.
572 [3] Newman, C., "Using TLS with IMAP, POP3 and ACAP", RFC 2595, June
573 1999.
575 [4] Ford-Hutchinson, P., Carpenter, M., Hudson, T., Murray, E. and
576 V. Wiegand, "Securing FTP with TLS", draft-murray-auth-ftp-ssl-
577 06 (work in progress), September 2000.
579 [5] Boe, M. and J. Altman, "TLS-based Telnet Security", draft-ietf-
580 tn3270e-telnet-tls-05 (work in progress), October 2000.
582 [6] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J. and T.
583 Wright, "TLS Extensions", draft-ietf-tls-extensions-00 (work in
584 progress), June 2001.
587 Author's Address
589 David Taylor
590 Forge Research Pty Ltd
592 EMail: DavidTaylor@forge.com.au
593 URI: http://www.forge.com.au/
615 Taylor Expires December 28, 2001 [Page 11]
616 \f
617 Internet-Draft Using SRP for TLS Authentication June 2001
620 Appendix A. Acknowledgements
622 The following people have contributed ideas and time to this draft:
623 Raif Naffah, Tom Wu, Nikos Mavroyanopoulos
671 Taylor Expires December 28, 2001 [Page 12]
672 \f
673 Internet-Draft Using SRP for TLS Authentication June 2001
676 Full Copyright Statement
678 Copyright (C) The Internet Society (2001). All Rights Reserved.
680 This document and translations of it may be copied and furnished to
681 others, and derivative works that comment on or otherwise explain it
682 or assist in its implementation may be prepared, copied, published
683 and distributed, in whole or in part, without restriction of any
684 kind, provided that the above copyright notice and this paragraph are
685 included on all such copies and derivative works. However, this
686 document itself may not be modified in any way, such as by removing
687 the copyright notice or references to the Internet Society or other
688 Internet organizations, except as needed for the purpose of
689 developing Internet standards in which case the procedures for
690 copyrights defined in the Internet Standards process must be
691 followed, or as required to translate it into languages other than
692 English.
694 The limited permissions granted above are perpetual and will not be
695 revoked by the Internet Society or its successors or assigns.
697 This document and the information contained herein is provided on an
698 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
699 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
700 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
701 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
702 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
704 Acknowledgement
706 Funding for the RFC Editor function is currently provided by the
707 Internet Society.
727 Taylor Expires December 28, 2001 [Page 13]
728 \f