Network Working Group D. Taylor
Request for Comments: 5054 Independent
Category: Informational T. Wu
Cisco
N. Mavrogiannopoulos
T. Perrin
Independent
November 2007
Using the Secure Remote Password (SRP) Protocol for TLS Authentication
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This memo presents a technique for using the Secure Remote Password
protocol as an authentication method for the Transport Layer Security
protocol.
Taylor, et al. Informational [Page 1]
RFC 5054 Using SRP for TLS Authentication November 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. SRP Authentication in TLS . . . . . . . . . . . . . . . . . . 3
2.1. Notation and Terminology . . . . . . . . . . . . . . . . . 3
2.2. Handshake Protocol Overview . . . . . . . . . . . . . . . 4
2.3. Text Preparation . . . . . . . . . . . . . . . . . . . . . 5
2.4. SRP Verifier Creation . . . . . . . . . . . . . . . . . . 5
2.5. Changes to the Handshake Message Contents . . . . . . . . 5
2.5.1. Client Hello . . . . . . . . . . . . . . . . . . . . . 6
2.5.2. Server Certificate . . . . . . . . . . . . . . . . . . 7
2.5.3. Server Key Exchange . . . . . . . . . . . . . . . . . 7
2.5.4. Client Key Exchange . . . . . . . . . . . . . . . . . 8
2.6. Calculating the Premaster Secret . . . . . . . . . . . . . 8
2.7. Ciphersuite Definitions . . . . . . . . . . . . . . . . . 9
2.8. New Message Structures . . . . . . . . . . . . . . . . . . 9
2.8.1. Client Hello . . . . . . . . . . . . . . . . . . . . . 10
2.8.2. Server Key Exchange . . . . . . . . . . . . . . . . . 10
2.8.3. Client Key Exchange . . . . . . . . . . . . . . . . . 11
2.9. Error Alerts . . . . . . . . . . . . . . . . . . . . . . . 11
3. Security Considerations . . . . . . . . . . . . . . . . . . . 12
3.1. General Considerations for Implementors . . . . . . . . . 12
3.2. Accepting Group Parameters . . . . . . . . . . . . . . . . 12
3.3. Protocol Characteristics . . . . . . . . . . . . . . . . . 12
3.4. Hash Function Considerations . . . . . . . . . . . . . . . 13
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Normative References . . . . . . . . . . . . . . . . . . . 14
5.2. Informative References . . . . . . . . . . . . . . . . . . 15
Appendix A. SRP Group Parameters . . . . . . . . . . . . . . . . 16
Appendix B. SRP Test Vectors . . . . . . . . . . . . . . . . . . 21
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 22
Taylor, et al. Informational [Page 2]
RFC 5054 Using SRP for TLS Authentication November 2007
1. Introduction
At the time of writing TLS [TLS] uses public key certificates, pre-
shared keys, or Kerberos for authentication.
These authentication methods do not seem well suited to certain
applications now being adapted to use TLS ([IMAP], for example).
Given that many protocols are designed to use the user name and
password method of authentication, being able to safely use user
names and passwords provides an easier route to additional security.
SRP ([SRP], [SRP-6]) is an authentication method that allows the use
of user names and passwords over unencrypted channels without
revealing the password to an eavesdropper. SRP also supplies a
shared secret at the end of the authentication sequence that can be
used to generate encryption keys.
This document describes the use of the SRP authentication method for
TLS.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [REQ].
2. SRP Authentication in TLS
2.1. Notation and Terminology
datatracker.ietf.org