Re: GSS-API SRP mech (was Re: retrying keyex ...)

To: Simon Tatham <anakin%pobox.com@localhost>
Subject: Re: GSS-API SRP mech (was Re: retrying keyex ...)
From: Tom Wu <tom%arcot.com@localhost>
Date: Thu, 17 Jul 2003 12:31:20 -0700

Simon Tatham wrote:

Sam Hartman  <hartmans%mit.edu@localhost> wrote:
[existing implementations of SRP authentication in SSH]

Please don't; use Keith's GSSAPI mechanism.  I believe that getting
his draft in shape should not take too much time at all.



Stop me if I'm being completely ignorant, but I thought GSSAPI
required the use of a null host key?

One of the great things about SRP as implemented in the hacked
OpenSSH I saw is that it uses the shared secret output from the SRP
exchange to validate the ordinary SSH host key - so that you can
connect to a machine whose host key you don't already know, enter
your SRP passphrase in confidence that it can't be stolen even if
the server has been spoofed, and if the SRP exchange completes
successfully then you can also be sure that _that host key_ belongs
to a machine which already knew what your passphrase should have
been. Then, later, you can use other forms of authentication to talk
to the same server and now be confident of its host key.

I think that any SRP implementation which worked by avoiding the
host key completely would be a step backwards from this. The whole
host key problem is a major hassle to many SSH users, and making it
simpler would be a serious gain.

I agree completely - one of the big benefits of SRP is that it does bothstrong password authentication *and* key exchange, and a protocol canleverage the exchanged key for subsequent secure communications. Theimportant technical property is the tying of the SRP exchange to theprotocol's native session security layer. As of now, the two popularapproaches are:


- Use the SRP session key directly as a session key (e.g. SRP/TLS)

- Use the SRP key exchange to validate another, previouslyunauthenticated, key exchange (e.g. SSH).

The latter approach seems useful for SSH since its own key exchangemechanism is based on the host key. I am also ignorant of how GSSAPIwould handle this. The important question to ask is: What happens ifthe SSH host public key is modified by an attacker in transit when doingan SRP authentication? With the patched OpenSSH, since it includes ahash of the public key inside the SRP verification messages, it wouldcause authentication to fail, thwarting the MITM attack.


Cheers,
Simon


Tom
--
Tom Wu
Chief Security Architect
Arcot Systems
(408) 969-6124

Follow-Ups:
- Re: GSS-API SRP mech (was Re: retrying keyex ...)
  - From: Markus Friedl

References:
- Re: GSS-API SRP mech (was Re: retrying keyex ...)
  - From: Simon Tatham

Prev by Date: Re: SSH_MSG_KEXGSS_HOSTKEY (was: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt)
Next by Date: Re: SSH_MSG_KEXGSS_HOSTKEY (was: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt)
Previous by Thread: Re: GSS-API SRP mech (was Re: retrying keyex ...)
Next by Thread: Re: GSS-API SRP mech (was Re: retrying keyex ...)
Indexes:

Home | Main Index | Thread Index | Old Index