Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
Secure Remote Password (TLS-SRP) ciphersuites are a set of
cryptographic protocol
A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describe ...
s that provide
secure
Secure may refer to:
* Security, being protected against danger or loss(es)
**Physical security, security measures that are designed to deny unauthorized access to facilities, equipment, and resources
**Information security, defending information ...
communication based on
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
s, using an
SRP password-authenticated key exchange.
There are two classes of TLS-SRP ciphersuites: The first class of cipher suites uses only
SRP authentication. The second class uses
SRP authentication and
public key certificate
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
s together for added security.
Usually, TLS uses only
public key certificate
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
s for authentication. TLS-SRP uses a value derived from a password (the
SRP verifier) and a salt, shared in advance among the communicating parties, to establish a TLS connection. There are several possible reasons one may choose to use TLS-SRP:
* Using password-based authentication does not require reliance on
certificate authorities.
* The end user does not need to check the URL being certified. If the server does not know data derived from the password then the connection simply cannot be made. This prevents
Phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
.
* Password authentication is less prone than certificate authentication to certain types of configuration mistakes, such as expired certificates or mismatched common name fields.
* TLS-SRP provides mutual authentication (the client and server both authenticate each other), while
TLS with server certificates only authenticates the server to the client.
Client certificates can authenticate the client to the server, but it may be easier for a user to remember a password than to install a certificate.
Implementations
TLS-SRP is implemented in
GnuTLS
GnuTLS (, the GNU Transport Layer Security Library) is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network trans ...
, OpenSSL as of release 1.0.1, Apache mod_gnutls and
mod_ssl
mod_ssl is an optional module for the Apache HTTP Server. It provides strong cryptography for the Apache v1.3 and v2 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) cryptographic protocols by the help of the ...
,
cURL
cURL (pronounced like "curl", UK: , US: ) is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client URL".
History
cURL was fi ...
, TLS Lite SecureBlackbox and
wolfSSL
wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS (SSL 3.0, TLS 1.0, 1.1, 1.2, 1.3, and DTLS 1.0, 1.2, and 1.3) written in the C programming lan ...
.
Standards
RFC 2945: “The SRP Authentication and Key Exchange System”.RFC 5054: “Using the Secure Remote Password (SRP) Protocol for TLS Authentication”.
See also
*
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
References
{{Reflist
Transport Layer Security