The Sandbox Thread

3 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Secure Remote Password (SRP) in WSE

Back to Forum: The Sandbox
  • User profile image
    staceyw

    Here is a Solution to obtain a security token in WSE using SRP6.
    It has a WSE client and a WSE service and a SRP Library and CreateUser GUI to test the complete solution.  Everything was created in C#.  Mono.Math was used for BigInteger support.

    SRP Summary:
    SRP was developed in 1997; SRP is a strong password authentication protocol that is now widespread among Open Source and commercial products.
    SRP does not expose passwords to either passive or active network intruders, and it stores passwords as a "non-plaintext-equivalent" one-way hash
    on the server. SRP is available as part of standard Telnet and FTP implementations, and is being rapidly incorporated into Internet protocols
    that require strong password authentication.

    Here are some of the benefits:
    - Does not require anything more then a memorized password and produces a secure authentication and key-exchange as result.
    - No key servers, PKI, Certs or stored session keys. This makes it simple and flexible for many uses.
    - No key storage problem. No public or private keys keys are stored on client or server.
    - Works very well with custom User/Password database. Server only generates and stores a username, verifier, and salt when account is created.
    - Password DB is secure (even from Admins).
    - Wire-Secure, even if weak passwords are used.
    - Can not "dictionary attack" the secret even if attacker captures the message exchange.
    - Meets the strictest requirement laid down in RFC 1704 for a non-disclosing authentication protocol.
    - Offers complete protection against both passive and active attacks using a single Diffie-Hellman "style" round of computation.
    - Because no clear password is sent or reproduced, no passwords are "floating" around in the server pipe-line. This does mean, however, that
      Windows authentication (i.e. LogonUser) can not be done directly. You could, however, get an anonymous SCT first using SRP, then use that to encrypt a UserToken or other.
    - After we get an SCT using SRP, we get out of the way. You are free to use the SCT as normal in your WSE web methods.

    What is in the Solution (Zip file):
    The following projects are in the solution.
    - CreateUser - simple gui program to create User records (i.e. username, verifier, salt). Paste output to your srpdb.txt file (the password db).
    - SRP6Library - Contains the SRP method and math. Mono.Math is used for BigInteger support.
      - SRPClient - WSE proxy to call the SRP service methods. Client will only need to call these methods to get an SCT using SRP.
      - SRPFunctions - All the math and SRP algo.
      - SRPInfo - Used internally on the server side to hold state between first SRP call and Proof step.
      - SRPLogonManger - Abstract base class.  Must derive from this class and implement your Logon provider.  Simple file provider is in SrpWseServer project.
      - SRPRequest - The first SRP request.
      - SRPReply - The reply from the service.
      - VerifyRequest - The client's proof of Key request. Second and last step of SRP authentication.
      - SRPService - The public "wrapper" around all the SRP stuff. Web service will only need to call these static methods.
    - SrpWseClient - Contains the WSE test client.
    - SrpWseServer - Contains the WSE test service.

    How it works:
    Client:
    - Client Creates an SRPClient proxy passing an endpoint.
    - Client calls srpClient.GetSCT(userName, password) to get an SCT token.
    - Client uses the SCT as normal to secure soap messages.

    Server:
    - Server side needs to derive a class from SRPLogonManager and at least implement the LookupUser() method. This returns the user info from DB or file, etc.
    - Server needs to export two public web methods (GetSctSrp and VerifyKey). The simplest place to put these methods is right in your web service.
    - The two web methods simple wrap and call the SRPService.GetSctSrp and SRPService.VerifyKey static methods. No special knowledge of SRP is required.
    - Server creates and updates User records using it's own methods (DB, text, xml, etc). You only need to call SRPService.CreatePasswordVerifier() static method
      to create the verifier and salt to store in your DB for that username.  The only requirement is that LookupUser() returns the same verifier and salt created
      from the CreatePasswordVerifier() method.

    Refs:
    http://srp.stanford.edu/ndss.html
    http://srp.stanford.edu/doc.html#ietf
    http://srp.stanford.edu/design.html (SRP-6a Protocol Summary)
    http://www.ietf.org/rfc/rfc2945.txt

    Please post questions or comments.  Cheers!
    --William Stacey [MVP]

  • User profile image
    staceyw

    BTW- The VS Solution is in the SrpWseServer dir.  Just open the solution to see all the projects.  Click Run to launch the service.  Then right-click SrpWseClient and Debug/Start new instace to start the client to test.

    --
    wjs

  • User profile image
    krsna

    Wow! I have to look this up, but it seems very impressive!
    Thanks Smiley
    S.Vidyaraman

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.