2d86ea2a1d
SVN-Revision: 13738
110 lines
5.3 KiB
Text
110 lines
5.3 KiB
Text
t_* stuff is from the srp 1.7.1 dist
|
|
bn_* stuff is from openssl 0.9.6
|
|
|
|
(The 7 in libtinysrp's version number reflects the srp version.)
|
|
|
|
Licensing and copyright for srp and openssl are as indicated in the relevant
|
|
source files. Everything else here is GPL, including the tinysrp protocol.
|
|
|
|
Changelog since initial release:
|
|
|
|
0.7.4 more robust terminal modes in t_getpass
|
|
a potential buffer overflow in tinysrp
|
|
0.7.5 uninitialized pointer bug in tconf
|
|
|
|
Changes from the base srp and openssl distributions:
|
|
|
|
I've removed everything that's not needed for client/server operations, and
|
|
all the bn_* stuff that's only used for prime generation has been moved to
|
|
t_conf.c, which isn't part of the library anymore. Also, all the routines
|
|
used for passphrase file maintenance have been moved to tphrase.c.
|
|
|
|
The library has been optimized (a bit) for space instead of speed. Since
|
|
authentication is usually only done once, this isn't a big problem. Modern
|
|
CPUs are plenty fast for this task, and even 100 MHz CPUs are fine. If you
|
|
really need the speed, get the regular distributions.
|
|
|
|
Note that if the server sends the client a prime that the client doesn't
|
|
know about, the client MUST test for primality. Since this is pretty
|
|
expensive, and takes 30 seconds on a 100 MHz machine, and uses lots of code,
|
|
I've removed that ability from the client. So only KNOWN primes can be
|
|
used. You can still generate new ones with tconf, but you have to install
|
|
them in the table of known primes (pre_params) in t_getconf.c that's common
|
|
to the client and server, and recompile. The configuration file is gone.
|
|
|
|
The default prime (the last entry in the table) is 1024 bits; there are
|
|
others with more bits but they will be correspondingly slower.
|
|
|
|
The default tpasswd file (which is an ascii file that may be editted with a
|
|
regular text editor) contains two users: moo (passphrase "glub glub") and
|
|
"new user" (passphrase "this is a test"). Passphrases may be added or
|
|
changed with tphrase; you can also change the user's prime. To delete a
|
|
user, edit the tpasswd file and remove that line. The tpasswd file's
|
|
default name is DEFAULT_PASSWD in t_pwd.h. Note that you can't change a
|
|
user's username by editting the file: the username is encoded in the
|
|
verifier. If you change a username you must set a new passphrase with
|
|
tphrase.
|
|
|
|
Here is an example session, using the supplied srvtest and clitest. First,
|
|
start both programs in different windows, and enter the user names. Normally,
|
|
the client would send the username to the server. Server lines are marked
|
|
with S>, client lines with C>.
|
|
|
|
S> % srvtest
|
|
S> Enter username: moo
|
|
S> index (to client): 5
|
|
S> salt (to client): 19AI0Hc9jEkdFc
|
|
|
|
C> % clitest
|
|
C> Enter username: moo
|
|
C> Enter index (from server): 5
|
|
C> Enter salt (from server): 19AI0Hc9jEkdFc
|
|
|
|
The server reports the index and salt values used for that user. They
|
|
are sent over the network to the client. (Simulate this by cutting and
|
|
pasting from one window to the other.)
|
|
|
|
C> A (to server): 5wCDXRxLIv/zLazYfKupV/OY3BlhTZuJ71wVgI0HcL1kSJEpkMuWF.xEz/BV2wlJl7vk5Eoz9KMS1ccnaatsVP5D6CBm7UA.yVB59EQFN0dNBirvX29NAFdtdMsMppo5tHRy987XjJWrWSLpeibq6emr.gP8nYyX75GQqSiMY1j
|
|
C> Enter password:
|
|
|
|
S> Enter A (from client): 5wCDXRxLIv/zLazYfKupV/OY3BlhTZuJ71wVgI0HcL1kSJEpkMuWF.xEz/BV2wlJl7vk5Eoz9KMS1ccnaatsVP5D6CBm7UA.yVB59EQFN0dNBirvX29NAFdtdMsMppo5tHRy987XjJWrWSLpeibq6emr.gP8nYyX75GQqSiMY1j
|
|
|
|
Now the client calculates A and sends it to the server, and while the
|
|
server is munching on that, the client gets the password from the user.
|
|
|
|
S> B (to client): 9dcCpulxQAbaDXI0NHWY6B.QH6B9fsoXs/x/5SCNBNJm/6H6bYfbVrwNmdquhLZjYMvpcgGc2mBYqL77RNfw1kVQo17//GfsByECBIjRnrAn02ffX9Y/llJcfscAQiii0hyZhJf9PT5wE7pC7WUjIgSqckIZ0JLNDbSr7fJcrgw
|
|
S> Session key: ebbcf3a45c968defdcfff6e144ad8d4f5412167c9716e79cbf7cacfe18257947ad46fa5d6418a1fd
|
|
|
|
The server now calculates B and sends it to the client. The session key
|
|
is not sent -- it is a shared secret that can be used for encryption.
|
|
|
|
C> Enter B (from server): 9dcCpulxQAbaDXI0NHWY6B.QH6B9fsoXs/x/5SCNBNJm/6H6bYfbVrwNmdquhLZjYMvpcgGc2mBYqL77RNfw1kVQo17//GfsByECBIjRnrAn02ffX9Y/llJcfscAQiii0hyZhJf9PT5wE7pC7WUjIgSqckIZ0JLNDbSr7fJcrgw
|
|
C> Session key: ebbcf3a45c968defdcfff6e144ad8d4f5412167c9716e79cbf7cacfe18257947ad46fa5d6418a1fd
|
|
C> Response (to server): b9ea99094a176c4be28eb469982066cc7146d180
|
|
|
|
The client uses the B value to calculate its own copy of the shared secret
|
|
session key, and sends a response to the server proving that it does know
|
|
the correct key.
|
|
|
|
S> Enter response (from client): b9ea99094a176c4be28eb469982066cc7146d180
|
|
S> Authentication successful.
|
|
S> Response (to client): cd46c839ccad2d0c76f3ca1905ae8ceda8d1c1dc
|
|
|
|
The server authenticates the client. (You're in!)
|
|
|
|
C> Enter server response: cd46c839ccad2d0c76f3ca1905ae8ceda8d1c1dc
|
|
C> Server authentication successful.
|
|
|
|
The client authenticates the server (prevents server spoofing in the case
|
|
where the session key isn't used to encrypt the channel -- a spoofed server
|
|
might just respond with random values and _pretend_ to authenticate the
|
|
client; but the spoofed server won't know the session key and this check
|
|
catches that).
|
|
|
|
Final note:
|
|
|
|
Remember that many breaches of security involve buggy software, such as
|
|
servers susceptible to buffer overflow exploits that totally bypass any
|
|
passphrase, secure or not. If an attacker roots your client, or the server,
|
|
no form of authentication will work. Consider MAC-based schemes if this
|
|
worries you.
|