IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Some SRP issues



"Niels Möller" wrote:
> 
> A second issue is negotiation of the group (or perhaps more properly,
> ring) used for the exchange. Tom Holroyd likes to have the ability to
> negotiate which group is used, analogously to the
> draft-dh-group-exchange. I don't know the exact details, but I imagine
> that the groups is stored together with the verifier and therefore
> choosen by the server.

Yes, the server selects the ring beforehand.  When a user sets/changes
his password, that ring is used to compute the verifier, which is stored
on the server.

> But if the user's secret value x is constructed as
> 
>   x = HASH(s | H(n | p))
> 
> like in my draft, this opens for attack. Assume that we are
> communicating with a bogus server. The server tells us to use a group
> of its choice, and it chooses a group in which the attacker can
> compute discrete logarithms.
> 
> Now the user sends v = g^x to the server, and the server can extract x
> (modulo the size of his choosen group). Knowing x, the attacker can
> impersonate the user to the real server.

I assume you're referring to a situation where a user is attempting to
*set* his password remotely for the very first time on a server, since
that is the only time one would ever send "v" over the network.  The
user's initial password should be set locally.  Once that is
established, the user can log in securely from anywhere, and can change
his password securely.  I don't see how the situation you described
could ever arise in a real environment.

If you want to devise a mechanism to allow a user to do remote password
initialization (a very hard, unsolved problem), I'd recommend having the
user select the ring and send {N, g, s, v} to the server, encrypted and
MACed if possible.

> A possible remedy is to make x depend on the group, say,
> 
>   x = HASH(s | description of group | H(n | p))
> 
> Would that work? I think this illustrates that adding group

I don't see how this would help, and it would break compatiblity with
the installed server base.  I agree that the question of how to select
rings/groups is a tricky one; this is something I've had to deal with
quite a  bit when designing SRP and the associated protocols.

> negotiation must be done very carefully. (In the dh-group-exchange
> case, I think the security is saved by the server's signature. The
> signature provides authentication that doesn't break of the dh group
> is tampered with).
> 
> Regards,
> /Niels

-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."



Home | Main Index | Thread Index | Old Index