This is to announce the availability of SRP (Secure Remote Password) support for OpenSSH. A tarball is available on Tripod: http://members.tripod.com/professor_tom/archives/ http://members.tripod.com/professor_tom/archives/openssh-2.5.2p2-srp5.tar.gz (Note: Tripod requires you to LEFT click on links to download files.) To install, unpack, configure --with-srp, and make install, then create an SRP verifier (your "password" file) with srp-keygen, and edit your config files to enable SRP authentication (you may want to disable some other methods at the same time). Features: * Strong authentication of both client *and* server, to protect against server-spoofing attacks. * Implements SRP as an SSH2 "authentication method"; the session id generated during key exchange is built in to the SRP exchange hashes, which provides strong authentication of the host key as well as the user verifier. This protects against spoofed servers even when the host key changes and/or the client doesn't know the host key. * Fully compatible with the Stanford SRP distribution, so if you already have an /etc/tpasswd file it'll get used (libsrp is NOT required). * No legal issues. Here's a quote from Tom Wu, the designer of SRP: "The past ambiguity has been resolved. SRP is royalty-free for commercial and non-commercial use worldwide. The licensing statements on the Web site, in the distribution, and other places (like the IETF) are clear on this issue." -- Tom Wu * Several alpha versions were checked over by Tom and several other readers of this list. * Draft protocol documentation included in the tarball. * Conforms to OpenBSD style(9) guidelines. Please note this is the first public release of this code. It is not intended for production environments and there may be major security holes, though none are currently known. Please help us test this patch, and get it ready for inclusion in the mainline code. It has been tested on Irix/SGI, Linux/Alpha, Linux/x86, and a few other systems. Please send all bug reports/patches/complaints to me, Tom Holroyd <tomh at po.crl.go.jp>. md5sum (note tar file not gzip): c409d865a44c85de95f9b9f778502b9c openssh-2.5.2p2-srp5.tar GPG signature (key on homepage): -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEABECAAYFAjrEZOUACgkQiGAp74wl3UPpCgCeOPfebFZY5Q7oE9dhDZ7M2NtX xHoAn3WIcmm0lq3rwMgxfJDHcWwrz52n =flpe -----END PGP SIGNATURE----- Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_
Measurement of SRP verifier strength against an offline dictionary attack. Intro In a dictionary attack, an SRP verifier is computed for all words in a dictionary of possible passwords, given constant username, salt, and SRP parameters (prime modulus and generator), and compared against a stolen verifier. Methods The dictionary used contained 10,000 words chosen at random from a larger corpus. The average word length was 7.76 characters. A large sample of verifiers were prepared using passphrase lengths of 8, 16, 24, and 32 characters, and the user name 'alice'. 10 verifiers were prepared for each prime in the default list (the 'primes' file plus the libsrp primes) from the OpenSSH+SRP distribution. The passphrases were not in the dictionary. The user time (returned by the times() function) was measured for the time taken to check all 10,000 words against each known verifier. Times were measured on a 667 MHz Linux/Alpha 21264. Results are given as the "crack rate" in words per second (wps). Higher rates mean the dictionary attack succeeds sooner. Results In general, longer primes had lower crack rates. The following table summarizes the average wps across all primes of a given size. +------+----------+------+ | bits | avg_wps | n | +------+----------+------+ | 512 | 2123.036 | 40 | | 640 | 1588.509 | 40 | | 768 | 1381.072 | 80 | | 1024 | 1015.222 | 80 | | 1026 | 947.602 | 1680 | | 1280 | 742.186 | 40 | | 1536 | 576.117 | 40 | | 2048 | 368.924 | 40 | | 2049 | 357.929 | 1040 | +------+----------+------+ For these rates, doubling the size of the prime increases the time to do the dictionary search by an average factor of approximately 2.5. These rates are to be compared with the DES (*nix crypt()) rate on the same machine of ~300,000 wps, the MD5 rate of 704 wps, and the Blowfish rate of 90 wps (values from a "John the Ripper" benchmark). Thus a prime length of about 1350 bits matches the MD5 rate. (Note that md5_crypt() was designed to be very slow, and runs over 1000 separate hashes to build the passwd entry, while most of the SRP time is in a single modular exponentiation.) For a given bit length, the choice of prime (when a choice was available) made only a small difference. The table shows the percent difference between the minimum and maximum average crack rates across primes of a given length. +------+----------+----------+---------+----+ | bits | min_wps | max_wps | percent | n | +------+----------+----------+---------+----+ | 768 | 1379.679 | 1382.464 | 0.201 | 2 | | 1024 | 1001.226 | 1033.758 | 3.147*| 2 | | 1026 | 938.486 | 959.641 | 2.204*| 42 | | 2049 | 356.257 | 360.235 | 1.104 | 26 | +------+----------+----------+---------+----+ * these values are actually too high because network time synchronization operations on this machine caused several jumps in the system clock during the test Passphrase length was not a factor; the differences in crack rate were negligible, and when the average rate was appropriately normalized, the passphrase lengths were ordered randomly. This was to be expected, because all passphrases are hashed to the same length. In summary, while the SRP protocol itself remains strong even with a low entropy passphrase, the verifier entries are no stronger than with other common methods (except DES). Thus it may be assumed that stolen verifier files (such as /etc/tpasswd and $HOME/.ssh/verifier) are typically vulnerable, where "typically" refers to the fact that many users choose very bad passwords. Even for 2049 bit primes, 10 million passphrases can be checked in less than 8 hours on this machine. High entropy passphrases, of course, result in verifiers that resist dictionary or brute force attack: 8 characters chosen at random from [a-z0-9] takes over 90 years on average with a 1026 bit modulus, and 250 years with a 2049 bit modulus. Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_
I'm curious about the "primes" file included with OpenSSH-2.5.2p2. Where did it come from and what is the policy regarding the values it contains, or will contain in the future? SRP has different requirements from Diffie-Hellman. In particular, for SRP the generator must be primitive. It turns out that the "primes" file contains only safe primes with primitive generators, and is thus ideal for SRP, but so far in OpenSSH it has only been used for DH, which doesn't require this. Right now the SRP patch uses these primes during construction of the srp-param.c file. It does test them first, and will reject any entries that are not safe enough, but it would be nice to know that there are no plans to put unsafe primes or non-primitive generators in this file. As a side issue, the SRP patch compiles the primes into libssh, and provides a function srp_get_param() which could be used to replace the file-reading code that is currently in dh.c, as well as an is_safe_group() function that can be used to check DH parameters*. This removes the requirement of having to install an extra configuration file. * This is not currently done in OpenSSH -- in fact as far as I can tell, using the DH_GEX_SHA1 key exchange method, an attacker can send a modulus that is not prime (only the length is checked). Is this not a problem? Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_