Using the Secure Remote Password (SRP) Protocol for TLS Authentication
RFC 5054
Document | Type |
RFC - Informational
(November 2007; Errata)
Was draft-ietf-tls-srp (tls WG)
|
|
---|---|---|---|
Authors | David Taylor , Trevor Perrin , Thomas Wu , Nikos Mavrogiannopoulos | ||
Last updated | 2013-03-28 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5054 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
Send notices to | ekr@networkresonance.com, Pasi.Eronen@nokia.com |
Network Working Group D. Taylor Request for Comments: 5054 Independent Category: Informational T. Wu Cisco N. Mavrogiannopoulos T. Perrin Independent November 2007 Using the Secure Remote Password (SRP) Protocol for TLS Authentication Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This memo presents a technique for using the Secure Remote Password protocol as an authentication method for the Transport Layer Security protocol. Taylor, et al. Informational [Page 1] RFC 5054 Using SRP for TLS Authentication November 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. SRP Authentication in TLS . . . . . . . . . . . . . . . . . . 3 2.1. Notation and Terminology . . . . . . . . . . . . . . . . . 3 2.2. Handshake Protocol Overview . . . . . . . . . . . . . . . 4 2.3. Text Preparation . . . . . . . . . . . . . . . . . . . . . 5 2.4. SRP Verifier Creation . . . . . . . . . . . . . . . . . . 5 2.5. Changes to the Handshake Message Contents . . . . . . . . 5 2.5.1. Client Hello . . . . . . . . . . . . . . . . . . . . . 6 2.5.2. Server Certificate . . . . . . . . . . . . . . . . . . 7 2.5.3. Server Key Exchange . . . . . . . . . . . . . . . . . 7 2.5.4. Client Key Exchange . . . . . . . . . . . . . . . . . 8 2.6. Calculating the Premaster Secret . . . . . . . . . . . . . 8 2.7. Ciphersuite Definitions . . . . . . . . . . . . . . . . . 9 2.8. New Message Structures . . . . . . . . . . . . . . . . . . 9 2.8.1. Client Hello . . . . . . . . . . . . . . . . . . . . . 10 2.8.2. Server Key Exchange . . . . . . . . . . . . . . . . . 10 2.8.3. Client Key Exchange . . . . . . . . . . . . . . . . . 11 2.9. Error Alerts . . . . . . . . . . . . . . . . . . . . . . . 11 3. Security Considerations . . . . . . . . . . . . . . . . . . . 12 3.1. General Considerations for Implementors . . . . . . . . . 12 3.2. Accepting Group Parameters . . . . . . . . . . . . . . . . 12 3.3. Protocol Characteristics . . . . . . . . . . . . . . . . . 12 3.4. Hash Function Considerations . . . . . . . . . . . . . . . 13 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.1. Normative References . . . . . . . . . . . . . . . . . . . 14 5.2. Informative References . . . . . . . . . . . . . . . . . . 15 Appendix A. SRP Group Parameters . . . . . . . . . . . . . . . . 16 Appendix B. SRP Test Vectors . . . . . . . . . . . . . . . . . . 21 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 22 Taylor, et al. Informational [Page 2] RFC 5054 Using SRP for TLS Authentication November 2007 1. Introduction At the time of writing TLS [TLS] uses public key certificates, pre- shared keys, or Kerberos for authentication. These authentication methods do not seem well suited to certain applications now being adapted to use TLS ([IMAP], for example). Given that many protocols are designed to use the user name and password method of authentication, being able to safely use user names and passwords provides an easier route to additional security. SRP ([SRP], [SRP-6]) is an authentication method that allows the use of user names and passwords over unencrypted channels without revealing the password to an eavesdropper. SRP also supplies a shared secret at the end of the authentication sequence that can be used to generate encryption keys. This document describes the use of the SRP authentication method for TLS. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [REQ]. 2. SRP Authentication in TLS 2.1. Notation and Terminology The version of SRP used here is sometimes referred to as "SRP-6" [SRP-6]. This version is a slight improvement over "SRP-3", which was described in [SRP] and [SRP-RFC]. For convenience, this document and [SRP-RFC] include the details necessary to implement SRP-6; [SRP-6] is cited for informative purposes only.Show full document text