reconsider SRP, it's way cool

Tom Wu tom at arcot.com
Thu Mar 30 22:32:43 EST 2000 

"Adam M. Costello" wrote:
> 
> I just joined the list, and I see in the archives that about a month ago
> there was a brief discussion of SRP, but it was dismissed.
> 
> I urge people to take a look at this site:
> 
> http://srp.stanford.edu/srp/
> 
> It's very cool.

As the author/inventor of SRP, I'd be willing to lend a hand to help get
SRP incorporated as an authentication mechanism in OpenSSH.  It fixes
the public key spoofing attack without having to rely on stored keys,
and it resists attacks against low-entropy passphrases.

I would suggest incorporating the SSH host public key into the SRP
exchange, so that the authentication step also confirms the integrity of
the SSH host key.  This way, the underlying SSH protocol need not
change, and it gains the extra security offered by SRP with no
inconvenience penalty.

SRP is Open Source, so it is even less encumbered that RSA
authentication, at least until this September. :)

> Let's say I'm on vacation visiting a friend, and I want to log in to
> my account back home.  I trust my friend's machine, but I don't have
> my home machine's public key, nor my personal keys, and there's no
> secure way for me to get them.  If I try to use ssh with password
> authentication, a man in the middle can get my password.  Ssh is a
> wonderful tool that solves almost all my security problems, except for
> this one, and it's a fairly common one.
> 
> With SRP, all I need to know is my password, and the two machines
> can mutually authenticate each other with no risk of a man in the
> middle learning anything.  If this technique had existed when ssh was
> originally written, it surely would have been used.
> 
> I think SRP would be a valuable addition to the ssh protocol, but where
> should that discussion should take place?  Are there still people
> working on standardizing the ssh protocol?
> 
> It's tricky because ssh and SRP use different models of session
> establishment: ssh first authenticates the server using a public key,
> then chooses a session key, then authenticates the client using any of a
> number of methods.  SRP first mutually authenticates both the server and
> client using only a password, and a session key falls out.
> 
> One idea is to have a mode where ssh provisionally accepts an unknown
> host key, but doesn't write it to known_hosts unless SRP is subsequently
> used successfully.  The key that falls out of SRP could be used to
> change the session key, but I'm not sure that's necessary.
> 
> AMC

-- 
Tom Wu
Principal Software Engineer
Arcot Systems Inc.
(650) 565-7007

More information about the openssh-unix-dev mailing list