Using the Secure Remote Password (SRP) Protocol for TLS Authentication
RFC 5054
| Document | Type |
RFC - Informational
(November 2007; Errata)
Was draft-ietf-tls-srp (tls WG)
|
|
|---|---|---|---|
| Authors | David Taylor , Trevor Perrin , Thomas Wu , Nikos Mavrogiannopoulos | ||
| Last updated | 2013-03-28 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 5054 (Informational) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Tim Polk | ||
| Send notices to | ekr@networkresonance.com, Pasi.Eronen@nokia.com | ||
Network Working Group D. Taylor
Request for Comments: 5054 Independent
Category: Informational T. Wu
Cisco
N. Mavrogiannopoulos
T. Perrin
Independent
November 2007
Using the Secure Remote Password (SRP) Protocol for TLS Authentication
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This memo presents a technique for using the Secure Remote Password
protocol as an authentication method for the Transport Layer Security
protocol.
Taylor, et al. Informational [Page 1]
RFC 5054 Using SRP for TLS Authentication November 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. SRP Authentication in TLS . . . . . . . . . . . . . . . . . . 3
2.1. Notation and Terminology . . . . . . . . . . . . . . . . . 3
2.2. Handshake Protocol Overview . . . . . . . . . . . . . . . 4
2.3. Text Preparation . . . . . . . . . . . . . . . . . . . . . 5
2.4. SRP Verifier Creation . . . . . . . . . . . . . . . . . . 5
2.5. Changes to the Handshake Message Contents . . . . . . . . 5
2.5.1. Client Hello . . . . . . . . . . . . . . . . . . . . . 6
2.5.2. Server Certificate . . . . . . . . . . . . . . . . . . 7
2.5.3. Server Key Exchange . . . . . . . . . . . . . . . . . 7
2.5.4. Client Key Exchange . . . . . . . . . . . . . . . . . 8
2.6. Calculating the Premaster Secret . . . . . . . . . . . . . 8
2.7. Ciphersuite Definitions . . . . . . . . . . . . . . . . . 9
2.8. New Message Structures . . . . . . . . . . . . . . . . . . 9
2.8.1. Client Hello . . . . . . . . . . . . . . . . . . . . . 10
2.8.2. Server Key Exchange . . . . . . . . . . . . . . . . . 10
2.8.3. Client Key Exchange . . . . . . . . . . . . . . . . . 11
2.9. Error Alerts . . . . . . . . . . . . . . . . . . . . . . . 11
3. Security Considerations . . . . . . . . . . . . . . . . . . . 12
3.1. General Considerations for Implementors . . . . . . . . . 12
3.2. Accepting Group Parameters . . . . . . . . . . . . . . . . 12
3.3. Protocol Characteristics . . . . . . . . . . . . . . . . . 12
3.4. Hash Function Considerations . . . . . . . . . . . . . . . 13
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Normative References . . . . . . . . . . . . . . . . . . . 14
5.2. Informative References . . . . . . . . . . . . . . . . . . 15
Appendix A. SRP Group Parameters . . . . . . . . . . . . . . . . 16
Appendix B. SRP Test Vectors . . . . . . . . . . . . . . . . . . 21
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 22
Taylor, et al. Informational [Page 2]
RFC 5054 Using SRP for TLS Authentication November 2007
1. Introduction
At the time of writing TLS [TLS] uses public key certificates, pre-
shared keys, or Kerberos for authentication.
These authentication methods do not seem well suited to certain
applications now being adapted to use TLS ([IMAP], for example).
Given that many protocols are designed to use the user name and
password method of authentication, being able to safely use user
names and passwords provides an easier route to additional security.
SRP ([SRP], [SRP-6]) is an authentication method that allows the use
of user names and passwords over unencrypted channels without
revealing the password to an eavesdropper. SRP also supplies a
shared secret at the end of the authentication sequence that can be
used to generate encryption keys.
This document describes the use of the SRP authentication method for
TLS.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [REQ].
2. SRP Authentication in TLS
2.1. Notation and Terminology
The version of SRP used here is sometimes referred to as "SRP-6"
[SRP-6]. This version is a slight improvement over "SRP-3", which
was described in [SRP] and [SRP-RFC]. For convenience, this document
and [SRP-RFC] include the details necessary to implement SRP-6;
[SRP-6] is cited for informative purposes only.
Show full document text