|
Packit Service |
4684c1 |
@node Shared-key and anonymous authentication
|
|
Packit Service |
4684c1 |
@section Shared-key and anonymous authentication
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
In addition to certificate authentication, the TLS protocol may be
|
|
Packit Service |
4684c1 |
used with password, shared-key and anonymous authentication methods.
|
|
Packit Service |
4684c1 |
The rest of this chapter discusses details of these methods.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@menu
|
|
Packit Service |
4684c1 |
* PSK authentication::
|
|
Packit Service |
4684c1 |
* SRP authentication::
|
|
Packit Service |
4684c1 |
* Anonymous authentication::
|
|
Packit Service |
4684c1 |
@end menu
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node PSK authentication
|
|
Packit Service |
4684c1 |
@subsection PSK authentication
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@menu
|
|
Packit Service |
4684c1 |
* Authentication using PSK::
|
|
Packit Service |
4684c1 |
* psktool Invocation:: Invoking psktool
|
|
Packit Service |
4684c1 |
@end menu
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Authentication using PSK
|
|
Packit Service |
4684c1 |
@subsubsection Authentication using @acronym{PSK}
|
|
Packit Service |
4684c1 |
@cindex PSK authentication
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Authentication using Pre-shared keys is a method to authenticate using
|
|
Packit Service |
4684c1 |
usernames and binary keys. This protocol avoids making use of public
|
|
Packit Service |
4684c1 |
key infrastructure and expensive calculations, thus it is suitable for
|
|
Packit Service |
4684c1 |
constraint clients. It is available under all TLS protocol versions.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The implementation in @acronym{GnuTLS} is based on @xcite{TLSPSK}.
|
|
Packit Service |
4684c1 |
The supported @acronym{PSK} key exchange methods are:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@table @code
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item PSK:
|
|
Packit Service |
4684c1 |
Authentication using the @acronym{PSK} protocol (no forward secrecy).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item DHE-PSK:
|
|
Packit Service |
4684c1 |
Authentication using the @acronym{PSK} protocol and Diffie-Hellman key
|
|
Packit Service |
4684c1 |
exchange. This method offers perfect forward secrecy.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item ECDHE-PSK:
|
|
Packit Service |
4684c1 |
Authentication using the @acronym{PSK} protocol and Elliptic curve Diffie-Hellman key
|
|
Packit Service |
4684c1 |
exchange. This method offers perfect forward secrecy.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item RSA-PSK:
|
|
Packit Service |
4684c1 |
Authentication using the @acronym{PSK} protocol for the client and an RSA certificate
|
|
Packit Service |
4684c1 |
for the server. This is not available under TLS 1.3.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end table
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Helper functions to generate and maintain @acronym{PSK} keys are also included
|
|
Packit Service |
4684c1 |
in @acronym{GnuTLS}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@showfuncC{gnutls_key_generate,gnutls_hex_encode,gnutls_hex_decode}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@include invoke-psktool.texi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node SRP authentication
|
|
Packit Service |
4684c1 |
@subsection SRP authentication
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@menu
|
|
Packit Service |
4684c1 |
* Authentication using SRP::
|
|
Packit Service |
4684c1 |
* srptool Invocation:: Invoking srptool
|
|
Packit Service |
4684c1 |
@end menu
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Authentication using SRP
|
|
Packit Service |
4684c1 |
@subsubsection Authentication using @acronym{SRP}
|
|
Packit Service |
4684c1 |
@cindex SRP authentication
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@acronym{GnuTLS} supports authentication via the Secure Remote Password
|
|
Packit Service |
4684c1 |
or @acronym{SRP} protocol (see @xcite{RFC2945,TOMSRP} for a description).
|
|
Packit Service |
4684c1 |
The @acronym{SRP} key exchange is an extension to the
|
|
Packit Service |
4684c1 |
@acronym{TLS} protocol, and it provides an authenticated with a
|
|
Packit Service |
4684c1 |
password key exchange. The peers can be identified using a single password,
|
|
Packit Service |
4684c1 |
or there can be combinations where the client is authenticated using @acronym{SRP}
|
|
Packit Service |
4684c1 |
and the server using a certificate. It is only available under TLS 1.2 or earlier
|
|
Packit Service |
4684c1 |
versions.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The advantage of @acronym{SRP} authentication, over other proposed
|
|
Packit Service |
4684c1 |
secure password authentication schemes, is that @acronym{SRP} is not
|
|
Packit Service |
4684c1 |
susceptible to off-line dictionary attacks.
|
|
Packit Service |
4684c1 |
Moreover, SRP does not require the server to hold the user's password.
|
|
Packit Service |
4684c1 |
This kind of protection is similar to the one used traditionally in the @acronym{UNIX}
|
|
Packit Service |
4684c1 |
@file{/etc/passwd} file, where the contents of this file did not cause
|
|
Packit Service |
4684c1 |
harm to the system security if they were revealed. The @acronym{SRP}
|
|
Packit Service |
4684c1 |
needs instead of the plain password something called a verifier, which
|
|
Packit Service |
4684c1 |
is calculated using the user's password, and if stolen cannot be used
|
|
Packit Service |
4684c1 |
to impersonate the user.
|
|
Packit Service |
4684c1 |
@c The Stanford @acronym{SRP} libraries, include a PAM module that synchronizes
|
|
Packit Service |
4684c1 |
@c the system's users passwords with the @acronym{SRP} password
|
|
Packit Service |
4684c1 |
@c files. That way @acronym{SRP} authentication could be used for all users
|
|
Packit Service |
4684c1 |
@c of a system.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Typical conventions in SRP are a password file, called @file{tpasswd} that
|
|
Packit Service |
4684c1 |
holds the SRP verifiers (encoded passwords) and another file, @file{tpasswd.conf},
|
|
Packit Service |
4684c1 |
which holds the allowed SRP parameters. The included in GnuTLS helper
|
|
Packit Service |
4684c1 |
follow those conventions. The srptool program, discussed in the next section
|
|
Packit Service |
4684c1 |
is a tool to manipulate the SRP parameters.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The implementation in @acronym{GnuTLS} is based on @xcite{TLSSRP}. The
|
|
Packit Service |
4684c1 |
supported key exchange methods are shown below. Enabling any of these
|
|
Packit Service |
4684c1 |
key exchange methods in a session disables support for TLS1.3.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@table @code
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item SRP:
|
|
Packit Service |
4684c1 |
Authentication using the @acronym{SRP} protocol.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item SRP_DSS:
|
|
Packit Service |
4684c1 |
Client authentication using the @acronym{SRP} protocol. Server is
|
|
Packit Service |
4684c1 |
authenticated using a certificate with DSA parameters.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item SRP_RSA:
|
|
Packit Service |
4684c1 |
Client authentication using the @acronym{SRP} protocol. Server is
|
|
Packit Service |
4684c1 |
authenticated using a certificate with RSA parameters.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end table
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@showfuncdesc{gnutls_srp_verifier}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@showfuncB{gnutls_srp_base64_encode2,gnutls_srp_base64_decode2}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@include invoke-srptool.texi
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Anonymous authentication
|
|
Packit Service |
4684c1 |
@subsection Anonymous authentication
|
|
Packit Service |
4684c1 |
@cindex anonymous authentication
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The anonymous key exchange offers encryption without any
|
|
Packit Service |
4684c1 |
indication of the peer's identity. This kind of authentication
|
|
Packit Service |
4684c1 |
is vulnerable to a man in the middle attack, but can be
|
|
Packit Service |
4684c1 |
used even if there is no prior communication or shared trusted parties
|
|
Packit Service |
4684c1 |
with the peer. It is useful to establish a session over which certificate
|
|
Packit Service |
4684c1 |
authentication will occur in order to hide the indentities of the participants
|
|
Packit Service |
4684c1 |
from passive eavesdroppers. It is only available under TLS 1.2 or earlier
|
|
Packit Service |
4684c1 |
versions.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Unless in the above case, it is not recommended to use anonymous authentication.
|
|
Packit Service |
4684c1 |
In the cases where there is no prior communication with the peers,
|
|
Packit Service |
4684c1 |
an alternative with better properties, such as key continuity, is trust on first use
|
|
Packit Service |
4684c1 |
(see @ref{Verifying a certificate using trust on first use authentication}).
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The available key exchange algorithms for anonymous authentication are
|
|
Packit Service |
4684c1 |
shown below, but note that few public servers support them, and they
|
|
Packit Service |
4684c1 |
have to be explicitly enabled. These ciphersuites are negotiated only under
|
|
Packit Service |
4684c1 |
TLS 1.2.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@table @code
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item ANON_DH:
|
|
Packit Service |
4684c1 |
This algorithm exchanges Diffie-Hellman parameters.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@item ANON_ECDH:
|
|
Packit Service |
4684c1 |
This algorithm exchanges elliptic curve Diffie-Hellman parameters. It is more
|
|
Packit Service |
4684c1 |
efficient than ANON_DH on equivalent security levels.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end table
|