|
Packit |
aea12f |
@node Shared-key and anonymous authentication
|
|
Packit |
aea12f |
@section Shared-key and anonymous authentication
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
In addition to certificate authentication, the TLS protocol may be
|
|
Packit |
aea12f |
used with password, shared-key and anonymous authentication methods.
|
|
Packit |
aea12f |
The rest of this chapter discusses details of these methods.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@menu
|
|
Packit |
aea12f |
* PSK authentication::
|
|
Packit |
aea12f |
* SRP authentication::
|
|
Packit |
aea12f |
* Anonymous authentication::
|
|
Packit |
aea12f |
@end menu
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@node PSK authentication
|
|
Packit |
aea12f |
@subsection PSK authentication
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@menu
|
|
Packit |
aea12f |
* Authentication using PSK::
|
|
Packit |
aea12f |
* psktool Invocation:: Invoking psktool
|
|
Packit |
aea12f |
@end menu
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@node Authentication using PSK
|
|
Packit |
aea12f |
@subsubsection Authentication using @acronym{PSK}
|
|
Packit |
aea12f |
@cindex PSK authentication
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Authentication using Pre-shared keys is a method to authenticate using
|
|
Packit |
aea12f |
usernames and binary keys. This protocol avoids making use of public
|
|
Packit |
aea12f |
key infrastructure and expensive calculations, thus it is suitable for
|
|
Packit |
aea12f |
constraint clients. It is available under all TLS protocol versions.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The implementation in @acronym{GnuTLS} is based on @xcite{TLSPSK}.
|
|
Packit |
aea12f |
The supported @acronym{PSK} key exchange methods are:
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@table @code
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item PSK:
|
|
Packit |
aea12f |
Authentication using the @acronym{PSK} protocol (no forward secrecy).
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item DHE-PSK:
|
|
Packit |
aea12f |
Authentication using the @acronym{PSK} protocol and Diffie-Hellman key
|
|
Packit |
aea12f |
exchange. This method offers perfect forward secrecy.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item ECDHE-PSK:
|
|
Packit |
aea12f |
Authentication using the @acronym{PSK} protocol and Elliptic curve Diffie-Hellman key
|
|
Packit |
aea12f |
exchange. This method offers perfect forward secrecy.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item RSA-PSK:
|
|
Packit |
aea12f |
Authentication using the @acronym{PSK} protocol for the client and an RSA certificate
|
|
Packit |
aea12f |
for the server. This is not available under TLS 1.3.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@end table
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Helper functions to generate and maintain @acronym{PSK} keys are also included
|
|
Packit |
aea12f |
in @acronym{GnuTLS}.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@showfuncC{gnutls_key_generate,gnutls_hex_encode,gnutls_hex_decode}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@include invoke-psktool.texi
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@node SRP authentication
|
|
Packit |
aea12f |
@subsection SRP authentication
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@menu
|
|
Packit |
aea12f |
* Authentication using SRP::
|
|
Packit |
aea12f |
* srptool Invocation:: Invoking srptool
|
|
Packit |
aea12f |
@end menu
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@node Authentication using SRP
|
|
Packit |
aea12f |
@subsubsection Authentication using @acronym{SRP}
|
|
Packit |
aea12f |
@cindex SRP authentication
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@acronym{GnuTLS} supports authentication via the Secure Remote Password
|
|
Packit |
aea12f |
or @acronym{SRP} protocol (see @xcite{RFC2945,TOMSRP} for a description).
|
|
Packit |
aea12f |
The @acronym{SRP} key exchange is an extension to the
|
|
Packit |
aea12f |
@acronym{TLS} protocol, and it provides an authenticated with a
|
|
Packit |
aea12f |
password key exchange. The peers can be identified using a single password,
|
|
Packit |
aea12f |
or there can be combinations where the client is authenticated using @acronym{SRP}
|
|
Packit |
aea12f |
and the server using a certificate. It is only available under TLS 1.2 or earlier
|
|
Packit |
aea12f |
versions.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The advantage of @acronym{SRP} authentication, over other proposed
|
|
Packit |
aea12f |
secure password authentication schemes, is that @acronym{SRP} is not
|
|
Packit |
aea12f |
susceptible to off-line dictionary attacks.
|
|
Packit |
aea12f |
Moreover, SRP does not require the server to hold the user's password.
|
|
Packit |
aea12f |
This kind of protection is similar to the one used traditionally in the @acronym{UNIX}
|
|
Packit |
aea12f |
@file{/etc/passwd} file, where the contents of this file did not cause
|
|
Packit |
aea12f |
harm to the system security if they were revealed. The @acronym{SRP}
|
|
Packit |
aea12f |
needs instead of the plain password something called a verifier, which
|
|
Packit |
aea12f |
is calculated using the user's password, and if stolen cannot be used
|
|
Packit |
aea12f |
to impersonate the user.
|
|
Packit |
aea12f |
@c The Stanford @acronym{SRP} libraries, include a PAM module that synchronizes
|
|
Packit |
aea12f |
@c the system's users passwords with the @acronym{SRP} password
|
|
Packit |
aea12f |
@c files. That way @acronym{SRP} authentication could be used for all users
|
|
Packit |
aea12f |
@c of a system.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Typical conventions in SRP are a password file, called @file{tpasswd} that
|
|
Packit |
aea12f |
holds the SRP verifiers (encoded passwords) and another file, @file{tpasswd.conf},
|
|
Packit |
aea12f |
which holds the allowed SRP parameters. The included in GnuTLS helper
|
|
Packit |
aea12f |
follow those conventions. The srptool program, discussed in the next section
|
|
Packit |
aea12f |
is a tool to manipulate the SRP parameters.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The implementation in @acronym{GnuTLS} is based on @xcite{TLSSRP}. The
|
|
Packit |
aea12f |
supported key exchange methods are shown below. Enabling any of these
|
|
Packit |
aea12f |
key exchange methods in a session disables support for TLS1.3.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@table @code
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item SRP:
|
|
Packit |
aea12f |
Authentication using the @acronym{SRP} protocol.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item SRP_DSS:
|
|
Packit |
aea12f |
Client authentication using the @acronym{SRP} protocol. Server is
|
|
Packit |
aea12f |
authenticated using a certificate with DSA parameters.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item SRP_RSA:
|
|
Packit |
aea12f |
Client authentication using the @acronym{SRP} protocol. Server is
|
|
Packit |
aea12f |
authenticated using a certificate with RSA parameters.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@end table
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@showfuncdesc{gnutls_srp_verifier}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@showfuncB{gnutls_srp_base64_encode2,gnutls_srp_base64_decode2}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@include invoke-srptool.texi
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@node Anonymous authentication
|
|
Packit |
aea12f |
@subsection Anonymous authentication
|
|
Packit |
aea12f |
@cindex anonymous authentication
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The anonymous key exchange offers encryption without any
|
|
Packit |
aea12f |
indication of the peer's identity. This kind of authentication
|
|
Packit |
aea12f |
is vulnerable to a man in the middle attack, but can be
|
|
Packit |
aea12f |
used even if there is no prior communication or shared trusted parties
|
|
Packit |
aea12f |
with the peer. It is useful to establish a session over which certificate
|
|
Packit |
aea12f |
authentication will occur in order to hide the indentities of the participants
|
|
Packit |
aea12f |
from passive eavesdroppers. It is only available under TLS 1.2 or earlier
|
|
Packit |
aea12f |
versions.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Unless in the above case, it is not recommended to use anonymous authentication.
|
|
Packit |
aea12f |
In the cases where there is no prior communication with the peers,
|
|
Packit |
aea12f |
an alternative with better properties, such as key continuity, is trust on first use
|
|
Packit |
aea12f |
(see @ref{Verifying a certificate using trust on first use authentication}).
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
The available key exchange algorithms for anonymous authentication are
|
|
Packit |
aea12f |
shown below, but note that few public servers support them, and they
|
|
Packit |
aea12f |
have to be explicitly enabled. These ciphersuites are negotiated only under
|
|
Packit |
aea12f |
TLS 1.2.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@table @code
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item ANON_DH:
|
|
Packit |
aea12f |
This algorithm exchanges Diffie-Hellman parameters.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@item ANON_ECDH:
|
|
Packit |
aea12f |
This algorithm exchanges elliptic curve Diffie-Hellman parameters. It is more
|
|
Packit |
aea12f |
efficient than ANON_DH on equivalent security levels.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
@end table
|