datatracker.ietf.org
Sign in
Version 5.6.3.p2, 2014-09-29
Report a bug

Using the Secure Remote Password (SRP) Protocol for TLS Authentication
RFC 5054

Document type: RFC - Informational (November 2007; Errata)
Document stream: IETF
Last updated: 2013-03-28
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5054 (Informational)
Responsible AD: Tim Polk
Send notices to: ekr@networkresonance.com, Pasi.Eronen@nokia.com

Network Working Group                                          D. Taylor
Request for Comments: 5054                                   Independent
Category: Informational                                            T. Wu
                                                                   Cisco
                                                    N. Mavrogiannopoulos
                                                               T. Perrin
                                                             Independent
                                                           November 2007

 Using the Secure Remote Password (SRP) Protocol for TLS Authentication

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This memo presents a technique for using the Secure Remote Password
   protocol as an authentication method for the Transport Layer Security
   protocol.

Taylor, et al.               Informational                      [Page 1]
RFC 5054            Using SRP for TLS Authentication       November 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  SRP Authentication in TLS  . . . . . . . . . . . . . . . . . .  3
     2.1.  Notation and Terminology . . . . . . . . . . . . . . . . .  3
     2.2.  Handshake Protocol Overview  . . . . . . . . . . . . . . .  4
     2.3.  Text Preparation . . . . . . . . . . . . . . . . . . . . .  5
     2.4.  SRP Verifier Creation  . . . . . . . . . . . . . . . . . .  5
     2.5.  Changes to the Handshake Message Contents  . . . . . . . .  5
       2.5.1.  Client Hello . . . . . . . . . . . . . . . . . . . . .  6
       2.5.2.  Server Certificate . . . . . . . . . . . . . . . . . .  7
       2.5.3.  Server Key Exchange  . . . . . . . . . . . . . . . . .  7
       2.5.4.  Client Key Exchange  . . . . . . . . . . . . . . . . .  8
     2.6.  Calculating the Premaster Secret . . . . . . . . . . . . .  8
     2.7.  Ciphersuite Definitions  . . . . . . . . . . . . . . . . .  9
     2.8.  New Message Structures . . . . . . . . . . . . . . . . . .  9
       2.8.1.  Client Hello . . . . . . . . . . . . . . . . . . . . . 10
       2.8.2.  Server Key Exchange  . . . . . . . . . . . . . . . . . 10
       2.8.3.  Client Key Exchange  . . . . . . . . . . . . . . . . . 11
     2.9.  Error Alerts . . . . . . . . . . . . . . . . . . . . . . . 11
   3.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
     3.1.  General Considerations for Implementors  . . . . . . . . . 12
     3.2.  Accepting Group Parameters . . . . . . . . . . . . . . . . 12
     3.3.  Protocol Characteristics . . . . . . . . . . . . . . . . . 12
     3.4.  Hash Function Considerations . . . . . . . . . . . . . . . 13
   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 13
   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     5.1.  Normative References . . . . . . . . . . . . . . . . . . . 14
     5.2.  Informative References . . . . . . . . . . . . . . . . . . 15
   Appendix A.  SRP Group Parameters  . . . . . . . . . . . . . . . . 16
   Appendix B.  SRP Test Vectors  . . . . . . . . . . . . . . . . . . 21
   Appendix C.  Acknowledgements  . . . . . . . . . . . . . . . . . . 22

Taylor, et al.               Informational                      [Page 2]
RFC 5054            Using SRP for TLS Authentication       November 2007

1.  Introduction

   At the time of writing TLS [TLS] uses public key certificates, pre-
   shared keys, or Kerberos for authentication.

   These authentication methods do not seem well suited to certain
   applications now being adapted to use TLS ([IMAP], for example).
   Given that many protocols are designed to use the user name and
   password method of authentication, being able to safely use user
   names and passwords provides an easier route to additional security.

   SRP ([SRP], [SRP-6]) is an authentication method that allows the use
   of user names and passwords over unencrypted channels without
   revealing the password to an eavesdropper.  SRP also supplies a
   shared secret at the end of the authentication sequence that can be
   used to generate encryption keys.

   This document describes the use of the SRP authentication method for
   TLS.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [REQ].

2.  SRP Authentication in TLS

2.1.  Notation and Terminology

[include full document text]