20 lines
1.2 KiB
Plaintext
20 lines
1.2 KiB
Plaintext
CLP-01-016 SRP implementation vulnerable to known attacks (High)
|
|
|
|
The Clipperz application implements the Secure Remote Password protocol
|
|
for authentication. The implementation adheres to the original protocol
|
|
specification from 1998 and is not standardized. The third revision
|
|
(SRP-3) is described in RFC2459, and has since revised several times to
|
|
prevent against attacks. Two attacks, ?two-for-one? guessing attack and
|
|
message ordering attack, are detailed in the paper ?SRP-6 Improvements
|
|
and Refinements of the Secure Remote Password Protocol?. The latest
|
|
revision of the protocol SRP-6 is being standardized in IEEE P1363 and
|
|
ISO/IEC 11770-4.
|
|
|
|
Specifically, the implementation is missing the k value introduced in
|
|
SRP-6 to prevent the ?two-for-one? attack. The k value is used on the
|
|
server side to compute B=kv+gb and on the client side to compute
|
|
S=(B-kgx)(a+ux). Also, the exchange of messages follows the SRP-3
|
|
optimized ordering, not the standard or optimized message ordering of
|
|
SRP-6, which was introduced to prevent a message ordering attack. Note
|
|
also that the computation of M1=H(A | B | K) does not adhere to
|
|
M1=H(H(N) XOR H(g) | H(I) | s | A | B | K) as specified by the standard. |