Cryptography Reference
In-Depth Information
9. Upon receipt of
h
2
Carol verifies that
K
is the correct key. If all is valid,
then theyhave a shared session key
K
.
Analysis
:
The exchange maybe seen as a type of DiKe-Hellman exchange, since the pri-
vate values
a
and
b
correspond roughlyto the private values in the DiKe-Hellman
key-exchange, and they have similar properties. In fact, the exponentials used
in the protocol have been modified over the SRP-3 version to counter dictionary
attacks
5.2
as well as casual password sniKng. In SRP-6, this is accomplished by
introducing the coeKcient 3 of
v
in step 2 (which was 1 in SRP-3), as well as the
addition of sending
A
in step 1 (whereas only
I
C
was sent in SRP-3). Adding
the coeKcient of 3 to
v
removes a symmetry property in SRP-3 that made it
easier to launch a dictionaryattack. Moreover, the computation of
u
as a hash
in step 3 (whereas the related variable was sent unhashed in SRP-3), thwarts
impersonation attacks. In SRP-3, the order of sending messages and revelation
of the related
u
parameter, before certain steps were executed, opened the pro-
tocol to such impersonation attacks. This introduction of the hash eliminates
this problem. If Mallorywants to find a value of
u
for which
u
=
H
(
α
a
v
−
u
,B
),
then it is infeasible (with a hash function such as SHA-1, for instance), for him
to pick a value of
u
and work back to find an appropriate value of
a
.
From the above, we see that SRP-6 is designed to thwart dictionaryattacks
since even if Victor's password database is publiclydisclosed, Mallor, for in-
stance, would need an exponential computation to validate a guess, which is
more time consuming than he can afford. In anycase, Victor uses SRP-6 to
store passwords in a form not directlyattainable byMallor.
SRP is relativelyimmune to the man-in-the-middle attack (see Footnote 3.7
on page 134) because, without Carol's password, Mallorycannot deceive both
Carol and Victor. Without Carol's private key, Mallory cannot deceive Victor
into thinking he is communicating with Carol. Without
v
as well, Malloryhas
no hope of masquerading as Victor to fool Carol. Hence, properlyimplemented,
SRP is perhaps the most secure of authentication schemes with password entry.
It is part of a new familyof verifier-based protocols, called
Asymmetric Key
Exchange
(AKE), where password and verifier are integrated into a single key
exchange round. One protocol wherein the use of SRP-6 would be particularly
useful is SSL/TLS (see Section 5.7 on page 218), since the server can send its
(initial) messages in one pass, rather than than two (for both client and server)
as was the case with SRP-3.
SRP solves the long-standing problem of having both ease-of-use and se-
curitywithout sacrificing performance. Also, it has the advantage of forward
secrecy. SRP is ideal for a number of applications for which secure password
authorization is required. For more technical information, see Internet draft:
draft-ietf-tls-srp-08
at the IETF website (see Footnote 5.3 on page 219):
http://www.ietf.org/internet-drafts/draft-ietf-tls-srp-08.txt
.
5.2
A
dictionary attack
occurs when an adversary takes a list of probable passwords, hashes
all the entries on the list, and compares this list to the list of actual enciphered passwords in
an effort to find a match.
Search WWH ::
Custom Search