IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: GSS-API SRP mech (was Re: retrying keyex ...)



Simon Tatham wrote:
Sam Hartman  <hartmans%mit.edu@localhost> wrote:
[existing implementations of SRP authentication in SSH]

Please don't; use Keith's GSSAPI mechanism.  I believe that getting
his draft in shape should not take too much time at all.


Stop me if I'm being completely ignorant, but I thought GSSAPI
required the use of a null host key?

One of the great things about SRP as implemented in the hacked
OpenSSH I saw is that it uses the shared secret output from the SRP
exchange to validate the ordinary SSH host key - so that you can
connect to a machine whose host key you don't already know, enter
your SRP passphrase in confidence that it can't be stolen even if
the server has been spoofed, and if the SRP exchange completes
successfully then you can also be sure that _that host key_ belongs
to a machine which already knew what your passphrase should have
been. Then, later, you can use other forms of authentication to talk
to the same server and now be confident of its host key.

I think that any SRP implementation which worked by avoiding the
host key completely would be a step backwards from this. The whole
host key problem is a major hassle to many SSH users, and making it
simpler would be a serious gain.

I agree completely - one of the big benefits of SRP is that it does both strong password authentication *and* key exchange, and a protocol can leverage the exchanged key for subsequent secure communications. The important technical property is the tying of the SRP exchange to the protocol's native session security layer. As of now, the two popular approaches are:

- Use the SRP session key directly as a session key (e.g. SRP/TLS)
- Use the SRP key exchange to validate another, previously unauthenticated, key exchange (e.g. SSH).

The latter approach seems useful for SSH since its own key exchange mechanism is based on the host key. I am also ignorant of how GSSAPI would handle this. The important question to ask is: What happens if the SSH host public key is modified by an attacker in transit when doing an SRP authentication? With the patched OpenSSH, since it includes a hash of the public key inside the SRP verification messages, it would cause authentication to fail, thwarting the MITM attack.


Cheers,
Simon

Tom
--
Tom Wu
Chief Security Architect
Arcot Systems
(408) 969-6124




Home | Main Index | Thread Index | Old Index