Misplaced Pages

Secure Remote Password protocol

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

The Secure Remote Password protocol ( SRP ) is an augmented password-authenticated key exchange (PAKE) protocol, specifically designed to work around existing patents.

#54945

67-409: Like all PAKE protocols, an eavesdropper or man in the middle cannot obtain enough information to be able to brute-force guess a password or apply a dictionary attack without further interactions with the parties for each guess. Furthermore, being an augmented PAKE protocol, the server does not store password-equivalent data. This means that an attacker who steals the server data cannot masquerade as

134-459: A Wi-Fi access point hosting a network without encryption could insert themselves as a man in the middle. As it aims to circumvent mutual authentication, a MITM attack can succeed only when the attacker impersonates each endpoint sufficiently well to satisfy their expectations. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using

201-434: A field means X = 0 {\displaystyle X=0} . Y {\displaystyle Y} on the other hand can take any value thus all triplets ( 0 , Y , 0 ) {\displaystyle (0,Y,0)} satisfy the equation. In projective geometry this set is simply the point O = [ 0 : 1 : 0 ] {\displaystyle O=[0:1:0]} , which

268-445: A man-in-the-middle ( MITM ) attack , or on-path attack , is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, where in actuality the attacker has inserted themselves between the two user parties. One example of a MITM attack is active eavesdropping , in which the attacker makes independent connections with

335-421: A passive attacker. Newer PAKEs such as AuCPace and OPAQUE offer stronger guarantees. The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not require a trusted third party . It effectively conveys a zero-knowledge password proof from the user to the server. In revision 6 of

402-413: A plane algebraic curve which consists of solutions ( x , y ) for: for some coefficients a and b in K . The curve is required to be non-singular , which means that the curve has no cusps or self-intersections . (This is equivalent to the condition 4 a + 27 b ≠ 0 , that is, being square-free in x .) It is always understood that the curve is really sitting in the projective plane , with

469-655: A certain amount of time to perform a particular transaction. If one transaction, however, were to take an abnormal length of time to reach the other party, this could be indicative of a third party's presence interfering with the connection and inserting additional latency in the transaction. Quantum cryptography , in theory, provides tamper-evidence for transactions through the no-cloning theorem . Protocols based on quantum cryptography typically authenticate part or all of their classical communication with an unconditionally secure authentication scheme. As an example Wegman-Carter authentication . Captured network traffic from what

536-404: A cubic at three points when accounting for multiplicity. For a point P , − P is defined as the unique third point on the line passing through O and P . Then, for any P and Q , P + Q is defined as − R where R is the unique third point on the line containing P and Q . For an example of the group law over a non-Weierstrass curve, see Hessian curves . A curve E defined over

603-501: A given message has come from a legitimate source. Tamper detection merely shows evidence that a message may have been altered and has broken integrity. All cryptographic systems that are secure against MITM attacks provide some method of authentication for messages. Most require an exchange of information (such as public keys) in addition to the message over a secure channel . Such protocols, often using key-agreement protocols , have been developed with different security requirements for

670-522: A group law defined algebraically, with respect to which it is an abelian group – and O serves as the identity element. If y = P ( x ) , where P is any polynomial of degree three in x with no repeated roots, the solution set is a nonsingular plane curve of genus one, an elliptic curve. If P has degree four and is square-free this equation again describes a plane curve of genus one; however, it has no natural choice of identity element. More generally, any algebraic curve of genus one, for example

737-417: A human in the loop in order to successfully initiate the transaction. HTTP Public Key Pinning (HPKP), sometimes called "certificate pinning", helps prevent a MITM attack in which the certificate authority itself is compromised, by having the server provide a list of "pinned" public key hashes during the first transaction. Subsequent transactions then require one or more of the keys in the list must be used by

SECTION 10

#1732780590055

804-418: A mutually trusted certificate authority . Suppose Alice wishes to communicate with Bob . Meanwhile, Mallory wishes to intercept the conversation to eavesdrop (breaking confidentiality) with the option to deliver a false message to Bob under the guise of Alice (breaking non-repudiation). Mallory would perform a man-in-the-middle attack as described in the following sequence of events. This example shows

871-539: A paper in which they demonstrate practical exploitation of a timing attack over the network. This exploits non-constant implementations of modular exponentiation of big numbers and impacted OpenSSL in particular. The SRP project was started in 1997. Two different approaches to fixing a security hole in SRP-1 resulted in SRP-2 and SRP-3. SRP-3 was first published in 1998 in a conference. RFC 2945, which describes SRP-3 with SHA1,

938-473: A security breach of the Dutch certificate authority DigiNotar resulted in the fraudulent issuing of certificates . Subsequently, the fraudulent certificates were used to perform MITM attacks. In 2013, Nokia 's Xpress Browser was revealed to be decrypting HTTPS traffic on Nokia's proxy servers , giving the company clear text access to its customers' encrypted browser traffic. Nokia responded by saying that

1005-401: Is equivalent to the plaintext password p . This step is completed before the system is used as part of the user registration with Steve. Note that the salt s is shared and exchanged to negotiate a session key later so the value could be chosen by either side but is done by Carol so that she can register I , s and v in a single registration request. The transmission and authentication of

1072-525: Is a plane curve defined by an equation of the form after a linear change of variables ( a and b are real numbers). This type of equation is called a Weierstrass equation, and said to be in Weierstrass form, or Weierstrass normal form. The definition of elliptic curve also requires that the curve be non-singular . Geometrically, this means that the graph has no cusps , self-intersections, or isolated points . Algebraically, this holds if and only if

1139-475: Is a fixed representant of P in E ( Q )/2 E ( Q ), the height of P 1 is about ⁠ 1 / 4 ⁠ of the one of P (more generally, replacing 2 by any m > 1, and ⁠ 1 / 4 ⁠ by ⁠ 1 / m ⁠ ). Redoing the same with P 1 , that is to say P 1 = 2 P 2 + Q 2 , then P 2 = 2 P 3 + Q 3 , etc. finally expresses P as an integral linear combination of points Q i and of points whose height

1206-408: Is a group, because properties of polynomial equations show that if P is in E ( K ) , then − P is also in E ( K ) , and if two of P , Q , R are in E ( K ) , then so is the third. Additionally, if K is a subfield of L , then E ( K ) is a subgroup of E ( L ) . The above groups can be described algebraically as well as geometrically. Given the curve y = x + bx + c over

1273-506: Is also a group isomorphism . Elliptic curves are especially important in number theory , and constitute a major area of current research; for example, they were used in Andrew Wiles's proof of Fermat's Last Theorem . They also find applications in elliptic curve cryptography (ECC) and integer factorization . An elliptic curve is not an ellipse in the sense of a projective conic, which has genus zero: see elliptic integral for

1340-417: Is bounded by a fixed constant chosen in advance: by the weak Mordell–Weil theorem and the second property of the height function P is thus expressed as an integral linear combination of a finite number of fixed points. The theorem however doesn't provide a method to determine any representatives of E ( Q )/ mE ( Q ). The rank of E ( Q ), that is the number of copies of Z in E ( Q ) or, equivalently,

1407-442: Is given by the tangent to the curve at ( x P , y P ). A more general expression for s {\displaystyle s} that works in both case 1 and case 2 is where equality to ⁠ y P − y Q / x P − x Q ⁠ relies on P and Q obeying y = x + bx + c . For the curve y = x + ax + bx + c (the general form of an elliptic curve with characteristic 3),

SECTION 20

#1732780590055

1474-521: Is not defined on the line at infinity , but we can multiply by Z 3 {\displaystyle Z^{3}} to get one that is : This resulting equation is defined on the whole projective plane, and the curve it defines projects onto the elliptic curve of interest. To find its intersection with the line at infinity, we can just posit Z = 0 {\displaystyle Z=0} . This implies X 3 = 0 {\displaystyle X^{3}=0} , which in

1541-492: Is not proven which of them have higher rank than the others or which is the true "current champion". As for the groups constituting the torsion subgroup of E ( Q ), the following is known: the torsion subgroup of E ( Q ) is one of the 15 following groups ( a theorem due to Barry Mazur ): Z / N Z for N = 1, 2, ..., 10, or 12, or Z /2 Z × Z /2 N Z with N = 1, 2, 3, 4. Examples for every case are known. Moreover, elliptic curves whose Mordell–Weil groups over Q have

1608-435: Is simply the point opposite itself, i.e. itself. [REDACTED] Let K be a field over which the curve is defined (that is, the coefficients of the defining equation or equations of the curve are in K ) and denote the curve by E . Then the K - rational points of E are the points on E whose coordinates all lie in K , including the point at infinity. The set of K -rational points is denoted by E ( K ) . E ( K )

1675-554: Is suspected to be an attack can be analyzed in order to determine whether there was an attack and, if so, determine the source of the attack. Important evidence to analyze when performing network forensics on a suspected attack includes: A Stingray phone tracker is a cellular phone surveillance device that mimics a wireless carrier cell tower in order to force all nearby mobile phones and other cellular data devices to connect to it. The tracker relays all communications back and forth between cellular phones and cell towers. In 2011,

1742-409: Is the key that Steve would use if p was the expected password. All values required to compute K p are either controlled by Carol or known from the first packet from Steve. Carol can now try to guess the password, generate the corresponding key, and attempt to decrypt Steve's encrypted message c to verify the key. As protocol messages tend to be structured, it is assumed that identifying that c

1809-529: Is thus the unique intersection of the curve with the line at infinity. Since the curve is smooth, hence continuous , it can be shown that this point at infinity is the identity element of a group structure whose operation is geometrically described as follows: Since the curve is symmetric about the x -axis, given any point P , we can take − P to be the point opposite it. We then have − O = O {\displaystyle -O=O} , as O {\displaystyle O} lies on

1876-507: Is to only authenticate the server, which means mutual authentication is not always employed and MITM attacks can still occur. Attestments, such as verbal communications of a shared value (as in ZRTP ), or recorded attestments such as audio/visual recordings of a public key hash are used to ward off MITM attacks, as visual media is much more difficult and time-consuming to imitate than simple data packet communication. However, these methods require

1943-417: Is unknown to the server. Furthermore, the server also needs to know about the password (but not the password itself) in order to instigate the secure connection. This means that the server also authenticates itself to the client which prevents phishing without reliance on the user parsing complex URLs. The only mathematically proven security property of SRP is that it is equivalent to Diffie-Hellman against

2010-420: Is used in this description of the protocol, version 6: All other variables are defined in terms of these. First, to establish a password p with server Steve, client Carol picks a random salt s , and computes x = H ( s , p ), v = g . Steve stores v and s , indexed by I , as Carol's password verifier and salt. Carol must not share x with anybody, and must safely erase it at this step, because it

2077-436: Is useful in a more advanced study of elliptic curves.) The real graph of a non-singular curve has two components if its discriminant is positive, and one component if it is negative. For example, in the graphs shown in figure to the right, the discriminant in the first case is 64, and in the second case is −368. When working in the projective plane , the equation in homogeneous coordinates becomes : This equation

Secure Remote Password protocol - Misplaced Pages Continue

2144-472: The XZ -plane, so that − O {\displaystyle -O} is also the symmetrical of O {\displaystyle O} about the origin, and thus represents the same projective point. If P and Q are two points on the curve, then we can uniquely describe a third point P + Q in the following way. First, draw the line that intersects P and Q . This will generally intersect

2211-399: The discriminant , Δ {\displaystyle \Delta } , is not equal to zero. The discriminant is zero when a = − 3 k 2 , b = 2 k 3 {\displaystyle a=-3k^{2},b=2k^{3}} . (Although the factor −16 is irrelevant to whether or not the curve is non-singular, this definition of the discriminant

2278-416: The quotient group E ( Q )/ mE ( Q ) is finite (this is the weak Mordell–Weil theorem). Second, introducing a height function h on the rational points E ( Q ) defined by h ( P 0 ) = 0 and h ( P ) = log max(| p |, | q |) if P (unequal to the point at infinity P 0 ) has as abscissa the rational number x = p / q (with coprime p and q ). This height function h has

2345-589: The alternative SSH protocol and faster than using Diffie–Hellman key exchange with signed messages. It is also independent of third parties, unlike Kerberos . The SRP protocol, version 3 is described in RFC 2945. SRP version 6a is also used for strong password authentication in SSL/TLS (in TLS-SRP ) and other standards such as EAP and SAML , and is part of IEEE 1363.2 and ISO/IEC 11770-4. The following notation

2412-452: The client side having the user password and the server side having a cryptographic verifier derived from the password. The shared public key is derived from two random numbers, one generated by the client, and the other generated by the server, which are unique to the login attempt. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than

2479-404: The client unless they first perform a brute force search for the password. In layman's terms, during SRP (or any other PAKE protocol) authentication, one party (the "client" or "user") demonstrates to another party (the "server") that they know the password, without sending the password itself nor any other information from which the password can be derived. The password never leaves the client and

2546-442: The content was not stored permanently, and that the company had organizational and technical measures to prevent access to private information. In 2017, Equifax withdrew its mobile phone apps following concern about MITM vulnerabilities. Bluetooth , a wireless communication protocol, has also been susceptible to man-in-the-middle attacks due to its wireless transmission of data. Other notable real-life implementations include

2613-416: The cubic at a third point, R . We then take P + Q to be − R , the point opposite R . This definition for addition works except in a few special cases related to the point at infinity and intersection multiplicity. The first is when one of the points is O . Here, we define P + O = P = O + P , making O the identity of the group. If P = Q we only have one point, thus we cannot define

2680-414: The equations have identical y values at these values. which is equivalent to Since x P , x Q , and x R are solutions, this equation has its roots at exactly the same x values as and because both equations are cubics they must be the same polynomial up to a scalar. Then equating the coefficients of x in both equations and solving for the unknown x R . y R follows from

2747-425: The field K (whose characteristic we assume to be neither 2 nor 3), and points P = ( x P , y P ) and Q = ( x Q , y Q ) on the curve, assume first that x P ≠ x Q (case 1 ). Let y = sx + d be the equation of the line that intersects P and Q , which has the following slope: The line equation and the curve equation intersect at the points x P , x Q , and x R , so

Secure Remote Password protocol - Misplaced Pages Continue

2814-409: The field of rational numbers is also defined over the field of real numbers. Therefore, the law of addition (of points with real coordinates) by the tangent and secant method can be applied to E . The explicit formulae show that the sum of two points P and Q with rational coordinates has again rational coordinates, since the line joining P and Q has rational coefficients. This way, one shows that

2881-455: The following: Elliptic curve In mathematics , an elliptic curve is a smooth , projective , algebraic curve of genus one, on which there is a specified point O . An elliptic curve is defined over a field K and describes points in K , the Cartesian product of K with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as

2948-424: The formulas are similar, with s = ⁠ x P + x P x Q + x Q + ax P + ax Q + b / y P + y Q ⁠ and x R = s − a − x P − x Q . For a general cubic curve not in Weierstrass normal form, we can still define a group structure by designating one of its nine inflection points as the identity O . In the projective plane, each line will intersect

3015-411: The identity on each trajectory curve. Topologically , a complex elliptic curve is a torus , while a complex ellipse is a sphere . Although the formal definition of an elliptic curve requires some background in algebraic geometry , it is possible to describe some features of elliptic curves over the real numbers using only introductory algebra and geometry . In this context, an elliptic curve

3082-447: The intersection of two quadric surfaces embedded in three-dimensional projective space, is called an elliptic curve, provided that it is equipped with a marked point to act as the identity. Using the theory of elliptic functions , it can be shown that elliptic curves defined over the complex numbers correspond to embeddings of the torus into the complex projective plane . The torus is also an abelian group , and this correspondence

3149-470: The key. While most of the additional state is public, private information could safely be added to the inputs to the hash function, like the server private key. Alternatively, in a password-only proof the calculation of K can be skipped and the shared S proven with: When using SRP to negotiate a shared key K which will be immediately used after the negotiation, it is tempting to skip the verification steps of M 1 and M 2 . The server will reject

3216-400: The line between them. In this case, we use the tangent line to the curve at this point as our line. In most cases, the tangent will intersect a second point R and we can take its opposite. If P and Q are opposites of each other, we define P + Q = O . Lastly, If P is an inflection point (a point where the concavity of the curve changes), we take R to be P itself and P + P

3283-501: The line equation and this is an element of K , because s is. If x P = x Q , then there are two options: if y P = − y Q (case 3 ), including the case where y P = y Q = 0 (case 4 ), then the sum is defined as 0; thus, the inverse of each point on the curve is found by reflecting it across the x -axis. If y P = y Q ≠ 0 , then Q = P and R = ( x R , y R ) = −( P + P ) = −2 P = −2 Q (case 2 using P as R ). The slope

3350-532: The method of tangents and secants detailed above , starting with a finite number of rational points. More precisely the Mordell–Weil theorem states that the group E ( Q ) is a finitely generated (abelian) group. By the fundamental theorem of finitely generated abelian groups it is therefore a finite direct sum of copies of Z and finite cyclic groups. The proof of the theorem involves two parts. The first part shows that for any integer m  > 1,

3417-414: The need for Alice and Bob to have a means to ensure that they are truly each using each other's public keys, and not the public key of an attacker. Otherwise, such attacks are generally possible, in principle, against any message sent using public-key technology. MITM attacks can be prevented or detected by two means: authentication and tamper detection. Authentication provides some degree of certainty that

SECTION 50

#1732780590055

3484-580: The number of independent points of infinite order, is called the rank of E . The Birch and Swinnerton-Dyer conjecture is concerned with determining the rank. One conjectures that it can be arbitrarily large, even if only examples with relatively small rank are known. The elliptic curve with the currently largest exactly-known rank is It has rank 20, found by Noam Elkies and Zev Klagsbrun in 2020. Curves of rank higher than 20 have been known since 1994, with lower bounds on their ranks ranging from 21 to 29, but their exact ranks are not known and in particular it

3551-654: The origin of the term. However, there is a natural representation of real elliptic curves with shape invariant j ≥ 1 as ellipses in the hyperbolic plane H 2 {\displaystyle \mathbb {H} ^{2}} . Specifically, the intersections of the Minkowski hyperboloid with quadric surfaces characterized by a certain constant-angle property produce the Steiner ellipses in H 2 {\displaystyle \mathbb {H} ^{2}} (generated by orientation-preserving collineations). Further,

3618-412: The orthogonal trajectories of these ellipses comprise the elliptic curves with j ≤ 1 , and any ellipse in H 2 {\displaystyle \mathbb {H} ^{2}} described as a locus relative to two foci is uniquely the elliptic curve sum of two Steiner ellipses, obtained by adding the pairs of intersections on each orthogonal trajectory. Here, the vertex of the hyperboloid serves as

3685-413: The point O being the unique point at infinity . Many sources define an elliptic curve to be simply a curve given by an equation of this form. (When the coefficient field has characteristic 2 or 3, the above equation is not quite general enough to include all non-singular cubic curves ; see § Elliptic curves over a general field below.) An elliptic curve is an abelian variety – that is, it has

3752-427: The property that h ( mP ) grows roughly like the square of m . Moreover, only finitely many rational points with height smaller than any constant exist on E . The proof of the theorem is thus a variant of the method of infinite descent and relies on the repeated application of Euclidean divisions on E : let P ∈ E ( Q ) be a rational point on the curve, writing P as the sum 2 P 1 + Q 1 where Q 1

3819-442: The protocol only one password can be guessed per connection attempt. One of the interesting properties of the protocol is that even if one or two of the cryptographic primitives it uses are attacked, it is still secure. The SRP protocol has been revised several times, and is currently at revision 6a. The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie–Hellman key exchange based on

3886-419: The registration request is not covered in SRP. Then to perform a proof of password at a later date the following exchange protocol occurs: Now the two parties have a shared, strong session key K . To complete authentication, they need to prove to each other that their keys match. One possible way is as follows: This method requires guessing more of the shared state to be successful in impersonation than just

3953-458: The secure channel, though some have attempted to remove the requirement for any secure channel at all. A public key infrastructure , such as Transport Layer Security , may harden Transmission Control Protocol against MITM attacks. In such structures, clients and servers exchange certificates which are issued and verified by a trusted third party called a certificate authority (CA). If the original key to authenticate this CA has not been itself

4020-562: The server in order to authenticate that transaction. DNSSEC extends the DNS protocol to use signatures to authenticate DNS records, preventing simple MITM attacks from directing a client to a malicious IP address . Latency examination can potentially detect the attack in certain situations, such as with long calculations that lead into tens of seconds like hash functions . To detect potential attacks, parties check for discrepancies in response times. For example: Say that two parties normally take

4087-425: The server sends an encrypted message in the second packet alongside the salt and B or if key verification is skipped and the server (rather than the client) sends the first encrypted message. This is tempting as after the very first packet, the server has every information to compute the shared key K . The attack goes as follow: Carol doesn't know x or v . But given any password p she can compute: K p

SECTION 60

#1732780590055

4154-467: The set of rational points of E forms a subgroup of the group of real points of E . This section is concerned with points P = ( x , y ) of E such that x is an integer. For example, the equation y = x + 17 has eight integral solutions with y  > 0: As another example, Ljunggren's equation , a curve whose Weierstrass form is y = x − 2 x , has only four solutions with y  ≥ 0 : Rational points can be constructed by

4221-485: The subject of a MITM attack, then the certificates issued by the CA may be used to authenticate the messages sent by the owner of that certificate. Use of mutual authentication , in which both the server and the client validate the other's communication, covers both ends of a MITM attack. If the server or client's identity is not verified or deemed as invalid, the session will end. However, the default behavior of most connections

4288-492: The very first request from the client which it cannot decrypt. This can however be dangerous as demonstrated in the Implementation Pitfalls section below. The two parties also employ the following safeguards: If the server sends an encrypted message without waiting for verification from the client then an attacker is able to mount an offline bruteforce attack similar to hash cracking. This can happen if

4355-421: The victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. In this scenario, the attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within range of

4422-500: Was properly decrypted is easy. This allows offline recovery of the password. This attack would not be possible had Steve waited for Carol to prove she was able to compute the correct key before sending an encrypted message. Proper implementations of SRP are not affected by this attack as the attacker would be unable to pass the key verification step. In 2021 Daniel De Almeida Braga, Pierre-Alain Fouque and Mohamed Sabt published PARASITE,

4489-507: Was published in 2000. SRP-6, which fixes "two-for-one" guessing and messaging ordering attacks, was published in 2002. SRP-6a appeared in the official "libsrp" in version 2.1.0, dated 2005. SRP-6a is found in standards as: IEEE 1363.2 also includes a description of "SRP5", a variant replacing the discrete logarithm with an elliptic curve contributed by Yongge Wang in 2001. It also describes SRP-3 as found in RFC 2945. Man-in-the-middle attack In cryptography and computer security ,

#54945