summaryrefslogtreecommitdiff
path: root/package/ead/src/tinysrp/Notes
blob: a8620aa70015fdd86ab731638aea4b9b8ddbce6d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
t_* stuff is from the srp 1.7.1 dist
bn_* stuff is from openssl 0.9.6

(The 7 in libtinysrp's version number reflects the srp version.)

Licensing and copyright for srp and openssl are as indicated in the relevant
source files.  Everything else here is GPL, including the tinysrp protocol.

Changelog since initial release:

0.7.4   more robust terminal modes in t_getpass
	a potential buffer overflow in tinysrp
0.7.5   uninitialized pointer bug in tconf

Changes from the base srp and openssl distributions:

I've removed everything that's not needed for client/server operations, and
all the bn_* stuff that's only used for prime generation has been moved to
t_conf.c, which isn't part of the library anymore.  Also, all the routines
used for passphrase file maintenance have been moved to tphrase.c.

The library has been optimized (a bit) for space instead of speed.  Since
authentication is usually only done once, this isn't a big problem.  Modern
CPUs are plenty fast for this task, and even 100 MHz CPUs are fine.  If you
really need the speed, get the regular distributions.

Note that if the server sends the client a prime that the client doesn't
know about, the client MUST test for primality.  Since this is pretty
expensive, and takes 30 seconds on a 100 MHz machine, and uses lots of code,
I've removed that ability from the client.  So only KNOWN primes can be
used.  You can still generate new ones with tconf, but you have to install
them in the table of known primes (pre_params) in t_getconf.c that's common
to the client and server, and recompile.  The configuration file is gone.

The default prime (the last entry in the table) is 1024 bits; there are
others with more bits but they will be correspondingly slower.

The default tpasswd file (which is an ascii file that may be editted with a
regular text editor) contains two users: moo (passphrase "glub glub") and
"new user" (passphrase "this is a test").  Passphrases may be added or
changed with tphrase; you can also change the user's prime.  To delete a
user, edit the tpasswd file and remove that line.  The tpasswd file's
default name is DEFAULT_PASSWD in t_pwd.h.  Note that you can't change a
user's username by editting the file: the username is encoded in the
verifier.  If you change a username you must set a new passphrase with
tphrase.

Here is an example session, using the supplied srvtest and clitest.  First,
start both programs in different windows, and enter the user names.  Normally,
the client would send the username to the server.  Server lines are marked
with S>, client lines with C>.

S> % srvtest
S> Enter username: moo
S> index (to client): 5
S> salt (to client): 19AI0Hc9jEkdFc

C> % clitest
C> Enter username: moo
C> Enter index (from server): 5
C> Enter salt (from server): 19AI0Hc9jEkdFc

The server reports the index and salt values used for that user.  They
are sent over the network to the client.  (Simulate this by cutting and
pasting from one window to the other.)

C> A (to server): 5wCDXRxLIv/zLazYfKupV/OY3BlhTZuJ71wVgI0HcL1kSJEpkMuWF.xEz/BV2wlJl7vk5Eoz9KMS1ccnaatsVP5D6CBm7UA.yVB59EQFN0dNBirvX29NAFdtdMsMppo5tHRy987XjJWrWSLpeibq6emr.gP8nYyX75GQqSiMY1j
C> Enter password:

S> Enter A (from client): 5wCDXRxLIv/zLazYfKupV/OY3BlhTZuJ71wVgI0HcL1kSJEpkMuWF.xEz/BV2wlJl7vk5Eoz9KMS1ccnaatsVP5D6CBm7UA.yVB59EQFN0dNBirvX29NAFdtdMsMppo5tHRy987XjJWrWSLpeibq6emr.gP8nYyX75GQqSiMY1j

Now the client calculates A and sends it to the server, and while the
server is munching on that, the client gets the password from the user.

S> B (to client): 9dcCpulxQAbaDXI0NHWY6B.QH6B9fsoXs/x/5SCNBNJm/6H6bYfbVrwNmdquhLZjYMvpcgGc2mBYqL77RNfw1kVQo17//GfsByECBIjRnrAn02ffX9Y/llJcfscAQiii0hyZhJf9PT5wE7pC7WUjIgSqckIZ0JLNDbSr7fJcrgw
S> Session key: ebbcf3a45c968defdcfff6e144ad8d4f5412167c9716e79cbf7cacfe18257947ad46fa5d6418a1fd

The server now calculates B and sends it to the client.  The session key
is not sent -- it is a shared secret that can be used for encryption.

C> Enter B (from server): 9dcCpulxQAbaDXI0NHWY6B.QH6B9fsoXs/x/5SCNBNJm/6H6bYfbVrwNmdquhLZjYMvpcgGc2mBYqL77RNfw1kVQo17//GfsByECBIjRnrAn02ffX9Y/llJcfscAQiii0hyZhJf9PT5wE7pC7WUjIgSqckIZ0JLNDbSr7fJcrgw
C> Session key: ebbcf3a45c968defdcfff6e144ad8d4f5412167c9716e79cbf7cacfe18257947ad46fa5d6418a1fd
C> Response (to server): b9ea99094a176c4be28eb469982066cc7146d180

The client uses the B value to calculate its own copy of the shared secret
session key, and sends a response to the server proving that it does know
the correct key.

S> Enter response (from client): b9ea99094a176c4be28eb469982066cc7146d180
S> Authentication successful.
S> Response (to client): cd46c839ccad2d0c76f3ca1905ae8ceda8d1c1dc

The server authenticates the client.  (You're in!)

C> Enter server response: cd46c839ccad2d0c76f3ca1905ae8ceda8d1c1dc
C> Server authentication successful.

The client authenticates the server (prevents server spoofing in the case
where the session key isn't used to encrypt the channel -- a spoofed server
might just respond with random values and _pretend_ to authenticate the
client; but the spoofed server won't know the session key and this check
catches that).

Final note:

Remember that many breaches of security involve buggy software, such as
servers susceptible to buffer overflow exploits that totally bypass any
passphrase, secure or not.  If an attacker roots your client, or the server,
no form of authentication will work.  Consider MAC-based schemes if this
worries you.