Network Working Group T. Wu Request for Comments: 2945 Stanford University Category: Standards Track September 2000
Network Working Group T. Wu Request for Comments: 2945 Stanford University Category: Standards Track September 2000
The SRP Authentication and Key Exchange System
SRP认证与密钥交换系统
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This document describes a cryptographically strong network authentication mechanism known as the Secure Remote Password (SRP) protocol. This mechanism is suitable for negotiating secure connections using a user-supplied password, while eliminating the security problems traditionally associated with reusable passwords. This system also performs a secure key exchange in the process of authentication, allowing security layers (privacy and/or integrity protection) to be enabled during the session. Trusted key servers and certificate infrastructures are not required, and clients are not required to store or manage any long-term keys. SRP offers both security and deployment advantages over existing challenge-response techniques, making it an ideal drop-in replacement where secure password authentication is needed.
本文档描述了一种加密性强的网络身份验证机制,称为安全远程密码(SRP)协议。此机制适用于使用用户提供的密码协商安全连接,同时消除传统上与可重用密码相关的安全问题。该系统还在身份验证过程中执行安全密钥交换,允许在会话期间启用安全层(隐私和/或完整性保护)。不需要可信密钥服务器和证书基础结构,客户机也不需要存储或管理任何长期密钥。与现有的质询响应技术相比,SRP提供了安全性和部署优势,使其成为需要安全密码验证的理想替代品。
The lack of a secure authentication mechanism that is also easy to use has been a long-standing problem with the vast majority of Internet protocols currently in use. The problem is two-fold: Users like to use passwords that they can remember, but most password-based authentication systems offer little protection against even passive attackers, especially if weak and easily-guessed passwords are used.
对于目前使用的绝大多数互联网协议来说,缺乏安全且易于使用的身份验证机制是一个长期存在的问题。问题有两个方面:用户喜欢使用他们能记住的密码,但大多数基于密码的身份验证系统即使是被动攻击者也无法提供保护,特别是在使用脆弱且容易猜测的密码时。
Eavesdropping on a TCP/IP network can be carried out very easily and very effectively against protocols that transmit passwords in the clear. Even so-called "challenge-response" techniques like the one described in [RFC 2095] and [RFC 1760], which are designed to defeat
TCP/IP网络上的窃听可以非常容易、非常有效地针对明文传输密码的协议进行。即使是[RFC 2095]和[RFC 1760]中描述的所谓的“挑战-响应”技术,其目的也是为了击败
simple sniffing attacks, can be compromised by what is known as a "dictionary attack". This occurs when an attacker captures the messages exchanged during a legitimate run of the protocol and uses that information to verify a series of guessed passwords taken from a precompiled "dictionary" of common passwords. This works because users often choose simple, easy-to-remember passwords, which invariably are also easy to guess.
简单的嗅探攻击可以被称为“字典攻击”的攻击破坏。当攻击者捕获协议合法运行期间交换的消息并使用该信息验证从预编译的常用密码“字典”中获取的一系列猜测密码时,就会发生这种情况。这是因为用户经常选择简单易记的密码,而这些密码总是很容易猜测。
Many existing mechanisms also require the password database on the host to be kept secret because the password P or some private hash h(P) is stored there and would compromise security if revealed. That approach often degenerates into "security through obscurity" and goes against the UNIX convention of keeping a "public" password file whose contents can be revealed without destroying system security.
许多现有机制还要求主机上的密码数据库保密,因为密码P或某些私有散列h(P)存储在那里,如果泄露,将危及安全性。这种方法通常会退化为“通过模糊实现安全”,并且违背了UNIX的惯例,即保存一个“公共”密码文件,该文件的内容可以在不破坏系统安全性的情况下公开。
SRP meets the strictest requirements laid down in [RFC 1704] for a non-disclosing authentication protocol. It offers complete protection against both passive and active attacks, and accomplishes this efficiently using a single Diffie-Hellman-style round of computation, making it feasible to use in both interactive and non-interactive authentication for a wide range of Internet protocols. Since it retains its security when used with low-entropy passwords, it can be seamlessly integrated into existing user applications.
SRP符合[RFC 1704]中规定的非公开认证协议的最严格要求。它提供了针对被动和主动攻击的完整保护,并使用一轮Diffie-Hellman风格的计算有效地实现了这一点,使其能够用于各种Internet协议的交互式和非交互式身份验证。由于它在与低熵密码一起使用时保持了安全性,因此可以无缝集成到现有的用户应用程序中。
The protocol described by this document is sometimes referred to as "SRP-3" for historical purposes. This particular protocol is described in [SRP] and is believed to have very good logical and cryptographic resistance to both eavesdropping and active attacks.
出于历史目的,本文件描述的协议有时被称为“SRP-3”。该特定协议在[SRP]中进行了描述,并被认为对窃听和主动攻击具有很好的逻辑和密码抵抗能力。
This document does not attempt to describe SRP in the context of any particular Internet protocol; instead it describes an abstract protocol that can be easily fitted to a particular application. For example, the specific format of messages (including padding) is not specified. Those issues have been left to the protocol implementor to decide.
本文件不试图在任何特定互联网协议的上下文中描述SRP;相反,它描述了一个抽象的协议,可以很容易地适用于特定的应用程序。例如,未指定消息的特定格式(包括填充)。这些问题留给协议实现者来决定。
The one implementation issue worth specifying here is the mapping between strings and integers. Internet protocols are byte-oriented, while SRP performs algebraic operations on its messages, so it is logical to define at least one method by which integers can be converted into a string of bytes and vice versa.
这里值得指定的一个实现问题是字符串和整数之间的映射。Internet协议是面向字节的,而SRP对其消息执行代数运算,因此至少定义一种方法是合乎逻辑的,通过这种方法,整数可以转换为字节字符串,反之亦然。
An n-byte string S can be converted to an integer as follows:
n字节字符串S可以转换为整数,如下所示:
i = S[n-1] + 256 * S[n-2] + 256^2 * S[n-3] + ... + 256^(n-1) * S[0]
i = S[n-1] + 256 * S[n-2] + 256^2 * S[n-3] + ... + 256^(n-1) * S[0]
where i is the integer and S[x] is the value of the x'th byte of S. In human terms, the string of bytes is the integer expressed in base 256, with the most significant digit first. When converting back to a string, S[0] must be non-zero (padding is considered to be a separate, independent process). This conversion method is suitable for file storage, in-memory representation, and network transmission of large integer values. Unless otherwise specified, this mapping will be assumed.
其中,i是整数,S[x]是S的第x个字节的值。在人类术语中,字节串是以256为基数表示的整数,最高有效位在前。当转换回字符串时,S[0]必须为非零(填充被认为是一个独立的过程)。这种转换方法适用于文件存储、内存表示和大整数值的网络传输。除非另有规定,否则将假定此映射。
If implementations require padding a string that represents an integer value, it is recommended that they use zero bytes and add them to the beginning of the string. The conversion back to integer automatically discards leading zero bytes, making this padding scheme less prone to error.
如果实现需要填充表示整数值的字符串,建议使用零字节并将其添加到字符串的开头。返回整数的转换会自动丢弃前导的零字节,从而使此填充方案不太容易出错。
The SHA hash function, when used in this document, refers to the SHA-1 message digest algorithm described in [SHA1].
本文档中使用的SHA哈希函数指的是[SHA1]中描述的SHA-1消息摘要算法。
This section describes an implementation of the SRP authentication and key-exchange protocol that employs the SHA hash function to generate session keys and authentication proofs.
本节介绍SRP身份验证和密钥交换协议的实现,该协议使用SHA哈希函数生成会话密钥和身份验证证明。
The host stores user passwords as triplets of the form
主机将用户密码存储为表单的三元组
{ <username>, <password verifier>, <salt> }
{ <username>, <password verifier>, <salt> }
Password entries are generated as follows:
密码条目的生成如下所示:
<salt> = random() x = SHA(<salt> | SHA(<username> | ":" | <raw password>)) <password verifier> = v = g^x % N
<salt> = random() x = SHA(<salt> | SHA(<username> | ":" | <raw password>)) <password verifier> = v = g^x % N
The | symbol indicates string concatenation, the ^ operator is the exponentiation operation, and the % operator is the integer remainder operation. Most implementations perform the exponentiation and remainder in a single stage to avoid generating unwieldy intermediate results. Note that the 160-bit output of SHA is implicitly converted to an integer before it is operated upon.
|符号表示字符串串联,^运算符表示求幂运算,%运算符表示整数余数运算。大多数实现在单个阶段执行求幂和余数运算,以避免生成笨拙的中间结果。请注意,SHA的160位输出在操作之前隐式转换为整数。
Authentication is generally initiated by the client.
身份验证通常由客户端启动。
Client Host -------- ------ U = <username> --> <-- s = <salt from passwd file>
Client Host -------- ------ U = <username> --> <-- s = <salt from passwd file>
Upon identifying himself to the host, the client will receive the salt stored on the host under his username.
在向主机标识自己后,客户端将收到以其用户名存储在主机上的salt。
a = random() A = g^a % N --> v = <stored password verifier> b = random() <-- B = (v + g^b) % N
a = random() A = g^a % N --> v = <stored password verifier> b = random() <-- B = (v + g^b) % N
p = <raw password> x = SHA(s | SHA(U | ":" | p))
p = <raw password> x = SHA(s | SHA(U | ":" | p))
S = (B - g^x) ^ (a + u * x) % N S = (A * v^u) ^ b % N K = SHA_Interleave(S) K = SHA_Interleave(S) (this function is described in the next section)
S = (B - g^x) ^ (a + u * x) % N S = (A * v^u) ^ b % N K = SHA_Interleave(S) K = SHA_Interleave(S) (this function is described in the next section)
The client generates a random number, raises g to that power modulo the field prime, and sends the result to the host. The host does the same thing and also adds the public verifier before sending it to the client. Both sides then construct the shared session key based on the respective formulae.
客户机生成一个随机数,将g提升到字段素数的幂模,并将结果发送给主机。主机执行同样的操作,并在将其发送到客户端之前添加公共验证器。然后,双方根据各自的公式构造共享会话密钥。
The parameter u is a 32-bit unsigned integer which takes its value from the first 32 bits of the SHA1 hash of B, MSB first.
参数u是一个32位无符号整数,其值取自B的SHA1散列的前32位,MSB first。
The client MUST abort authentication if B % N is zero.
如果B%N为零,客户端必须中止身份验证。
The host MUST abort the authentication attempt if A % N is zero. The host MUST send B after receiving A from the client, never before.
如果%N为零,主机必须中止身份验证尝试。主机必须在从客户端接收A之后发送B,而不是之前。
At this point, the client and server should have a common session key that is secure (i.e. not known to an outside party). To finish authentication, they must prove to each other that their keys are identical.
此时,客户端和服务器应该有一个安全的公共会话密钥(即,外部方不知道)。要完成身份验证,他们必须相互证明他们的密钥是相同的。
M = H(H(N) XOR H(g) | H(U) | s | A | B | K) --> <-- H(A | M | K)
M = H(H(N) XOR H(g) | H(U) | s | A | B | K) --> <-- H(A | M | K)
The server will calculate M using its own K and compare it against the client's response. If they do not match, the server MUST abort and signal an error before it attempts to answer the client's challenge. Not doing so could compromise the security of the user's password.
服务器将使用自己的K计算M,并将其与客户端的响应进行比较。如果它们不匹配,服务器必须中止并发出错误信号,然后再尝试回答客户端的质询。不这样做可能会危及用户密码的安全性。
If the server receives a correct response, it issues its own proof to the client. The client will compute the expected response using its own K to verify the authenticity of the server. If the client responded correctly, the server MUST respond with its hash value.
如果服务器收到正确的响应,它会向客户机发出自己的证明。客户端将使用自己的K计算预期响应,以验证服务器的真实性。如果客户端响应正确,则服务器必须使用其哈希值进行响应。
The transactions in this protocol description do not necessarily have a one-to-one correspondence with actual protocol messages. This description is only intended to illustrate the relationships between the different parameters and how they are computed. It is possible, for example, for an implementation of the SRP-SHA1 mechanism to consolidate some of the flows as follows:
此协议描述中的事务不一定与实际协议消息一一对应。本说明仅用于说明不同参数之间的关系及其计算方式。例如,对于SRP-SHA1机制的实施,有可能按照以下方式整合一些流:
Client Host -------- ------ U, A --> <-- s, B H(H(N) XOR H(g) | H(U) | s | A | B | K) --> <-- H(A | M | K)
Client Host -------- ------ U, A --> <-- s, B H(H(N) XOR H(g) | H(U) | s | A | B | K) --> <-- H(A | M | K)
The values of N and g used in this protocol must be agreed upon by the two parties in question. They can be set in advance, or the host can supply them to the client. In the latter case, the host should send the parameters in the first message along with the salt. For maximum security, N should be a safe prime (i.e. a number of the form N = 2q + 1, where q is also prime). Also, g should be a generator modulo N (see [SRP] for details), which means that for any X where 0 < X < N, there exists a value x for which g^x % N == X.
本协议中使用的N和g值必须经双方同意。它们可以预先设置,也可以由主机提供给客户端。在后一种情况下,主机应将第一条消息中的参数与salt一起发送。为了获得最大安全性,N应该是一个安全素数(即形式为N=2q+1的数字,其中q也是素数)。此外,g应该是一个生成器模N(有关详细信息,请参见[SRP]),这意味着对于0<X<N的任何X,存在一个值X,其中g^X%N==X。
The SHA_Interleave function used in SRP-SHA1 is used to generate a session key that is twice as long as the 160-bit output of SHA1. To compute this function, remove all leading zero bytes from the input. If the length of the resulting string is odd, also remove the first byte. Call the resulting string T. Extract the even-numbered bytes into a string E and the odd-numbered bytes into a string F, i.e.
SRP-SHA1中使用的SHA_交织函数用于生成会话密钥,该密钥是SHA1 160位输出的两倍。要计算此函数,请从输入中删除所有前导零字节。如果结果字符串的长度为奇数,请同时删除第一个字节。调用生成的字符串T。将偶数字节提取为字符串E,将奇数字节提取为字符串F,即。
E = T[0] | T[2] | T[4] | ... F = T[1] | T[3] | T[5] | ...
E=T[0]| T[2]| T[4]|。。。F=T[1]| T[3]| T[5]|。。。
Both E and F should be exactly half the length of T. Hash each one with regular SHA1, i.e.
E和F都应该正好是T长度的一半。用正则SHA1散列每个长度,即。
G = SHA(E) H = SHA(F)
G = SHA(E) H = SHA(F)
Interleave the two hashes back together to form the output, i.e.
将两个散列交织在一起形成输出,即。
result = G[0] | H[0] | G[1] | H[1] | ... | G[19] | H[19]
结果=G[0]| H[0]| G[1]| H[1]|……|G[19]| H[19]
The result will be 40 bytes (320 bits) long.
结果将是40字节(320位)长。
SRP can be used with hash functions other than SHA. If the hash function produces an output of a different length than SHA (20 bytes), it may change the length of some of the messages in the protocol, but the fundamental operation will be unaffected.
SRP可以与SHA以外的散列函数一起使用。如果哈希函数生成的输出长度与SHA不同(20字节),则它可能会更改协议中某些消息的长度,但基本操作不会受到影响。
Earlier versions of the SRP mechanism used the MD5 hash function, described in [RFC 1321]. Keyed hash transforms are also recommended for use with SRP; one possible construction uses HMAC [RFC 2104], using K to key the hash in each direction instead of concatenating it with the other parameters.
SRP机制的早期版本使用了[RFC 1321]中描述的MD5哈希函数。还建议与SRP一起使用键控哈希转换;一种可能的构造使用HMAC[rfc2104],使用K在每个方向对散列进行键控,而不是将其与其他参数连接。
Any hash function used with SRP should produce an output of at least 16 bytes and have the property that small changes in the input cause significant nonlinear changes in the output. [SRP] covers these issues in more depth.
与SRP一起使用的任何哈希函数都应产生至少16个字节的输出,并且具有这样的特性:输入中的微小变化会导致输出中的显著非线性变化。[SRP]更深入地讨论了这些问题。
This entire memo discusses an authentication and key-exchange system that protects passwords and exchanges keys across an untrusted network. This system improves security by eliminating the need to send cleartext passwords over the network and by enabling encryption through its secure key-exchange mechanism.
整个备忘录讨论了一个身份验证和密钥交换系统,该系统在不受信任的网络中保护密码和交换密钥。该系统无需通过网络发送明文密码,并通过其安全密钥交换机制实现加密,从而提高了安全性。
The private values for a and b correspond roughly to the private values in a Diffie-Hellman exchange and have similar constraints of length and entropy. Implementations may choose to increase the length of the parameter u, as long as both client and server agree, but it is not recommended that it be shorter than 32 bits.
a和b的私有值大致对应于Diffie-Hellman交换中的私有值,并且具有类似的长度和熵约束。只要客户机和服务器都同意,实现可以选择增加参数u的长度,但不建议它短于32位。
SRP has been designed not only to counter the threat of casual password-sniffing, but also to prevent a determined attacker equipped with a dictionary of passwords from guessing at passwords using captured network traffic. The SRP protocol itself also resists active network attacks, and implementations can use the securely exchanged keys to protect the session against hijacking and provide confidentiality.
SRP的设计目的不仅在于对抗偶然密码嗅探的威胁,还在于防止配备密码字典的坚定攻击者使用捕获的网络流量猜测密码。SRP协议本身也可以抵御主动网络攻击,实现可以使用安全交换的密钥来保护会话免受劫持,并提供机密性。
SRP also has the added advantage of permitting the host to store passwords in a form that is not directly useful to an attacker. Even if the host's password database were publicly revealed, the attacker would still need an expensive dictionary search to obtain any passwords. The exponential computation required to validate a guess in this case is much more time-consuming than the hash currently used by most UNIX systems. Hosts are still advised, though, to try their best to keep their password files secure.
SRP还具有允许主机以对攻击者没有直接用处的形式存储密码的附加优势。即使主机的密码数据库被公开,攻击者仍然需要昂贵的字典搜索来获取任何密码。在这种情况下,验证猜测所需的指数计算比大多数UNIX系统当前使用的哈希要耗时得多。不过,仍建议主机尽最大努力确保密码文件的安全。
[RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[RFC 1321]Rivest,R.,“MD5消息摘要算法”,RFC 1321,1992年4月。
[RFC 1704] Haller, N. and R. Atkinson, "On Internet Authentication", RFC 1704, October 1994.
[RFC 1704]Haller,N.和R.Atkinson,“互联网认证”,RFC 17041994年10月。
[RFC 1760] Haller, N., "The S/Key One-Time Password System", RFC 1760, Feburary 1995.
[RFC1760]Haller,N.,“S/键一次性密码系统”,RFC1760,1995年2月。
[RFC 2095] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2095, January 1997.
[RFC 2095]Klensin,J.,Catoe,R.和P.Krumviede,“简单质询/响应的IMAP/POP授权扩展”,RFC 2095,1997年1月。
[RFC 2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC 2104]Krawczyk,H.,Bellare,M.和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。
[SHA1] National Institute of Standards and Technology (NIST), "Announcing the Secure Hash Standard", FIPS 180-1, U.S. Department of Commerce, April 1995.
[SHA1]国家标准与技术研究所(NIST),“宣布安全哈希标准”,FIPS 180-1,美国商务部,1995年4月。
[SRP] T. Wu, "The Secure Remote Password Protocol", In Proceedings of the 1998 Internet Society Symposium on Network and Distributed Systems Security, San Diego, CA, pp. 97-111.
[SRP]T.Wu,“安全远程密码协议”,1998年互联网协会网络和分布式系统安全研讨会论文集,加利福尼亚州圣地亚哥,第97-111页。
Thomas Wu Stanford University Stanford, CA 94305
托马斯·吴斯坦福大学加利福尼亚州斯坦福94305
EMail: tjw@cs.Stanford.EDU
EMail: tjw@cs.Stanford.EDU
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。