In computer systems, username and password has become a widely used way to authenticate users. The evolution of password storage and authentication methods has gone through various stages to enhance security and protect user credentials.
Here's an overview of the progression from plain text passwords to using Secure Remote Password (SRP) and the key concepts at each stage:
Plain Text Passwords: In the early days of computing and network authentication, passwords were often stored in plain text on servers. This means that when a user entered their password, it was stored exactly as entered. The main problem with plain text storage is that if the server is compromised, attackers can easily obtain the passwords, potentially leading to unauthorized access to user accounts.
Password Hashing: The next step was to use password hashing to address the security weaknesses of plain text passwords. Instead of storing the actual password, this approach stores a one-way cryptographic hash of the password on the server. Hashing ensures that the original password cannot be easily retrieved from the stored value, even if the database is breached. Common hashing algorithms used for password storage include MD5, SHA-1, and more secure ones like bcrypt, scrypt, and Argon2. These newer algorithms are designed to be slow and computationally intensive, making it more difficult for attackers to crack passwords through brute force or dictionary attacks.
Salted Hashes: The concept of adding salt to password hashes was introduced to enhance security. A salt is a random value unique to each user, combined with their password before hashing. Salting prevents precomputed rainbow tables and ensures that even identical passwords result in different hashes due to the unique salts. Combining salt with password hashing significantly improves the resistance to offline attacks.
Secure Remote Password (SRP): SRP is an advanced authentication protocol that addresses the weaknesses in traditional password-based authentication systems. In SRP, the password is transformed into a verifier value stored on the server, and the actual password is never transmitted during authentication. SRP uses cryptographic techniques to provide mutual authentication, where both the client and server prove their identities without exchanging plaintext secrets. The protocol also defends against a wide range of attacks, including man-in-the-middle attacks, replay attacks, and offline password attacks.
In summary, password security has progressed from storing plain text passwords to using password hashing with salts and finally to the more advanced and secure Secure Remote Password (SRP) protocol. SRP protects passwords from exposure and provides strong security features for remote authentication, making it a valuable choice for applications that require robust security and user protection. Secure Remote Password (SRP) is a cryptographic protocol and authentication mechanism that allows two parties, typically a client and a server, to establish a secure connection and authenticate each other without exposing the user's password to potential eavesdroppers or attackers. The primary goal of SRP is to protect the user's password from being transmitted over the network, making it resistant to offline password attacks.
Here's a simplified overview of how SRP works:
Registration
- Client and server first negotiate on an SRP group and agree on one.
- Client collects a user-provided username & password and generates random salt.
- Client uses the key derivation function to derive a secure key from a user-provided password.
- Client then uses an agreed SRP group and derived secure key x to generate a verifier v.
- Client sends the username, salt, and verifier (v) to the server over a secure channel.
- Server stores the SRP group, username, salt, and verifier (v) in durable storage, with (v) stored securely.
Authentication
- We assume the client can access the secure derived key (x) and the agreed SRP group.
- Client creates an ephemeral public key (A) and sends it to the server.
- Server computes the ephemeral public key (B) and sends it to the client.
- Server uses its private key to encrypt and send username and salt to the client as proof.
- Client verifies the proof and sends its proof to the server using its private key.
- Once the server verifies the proof, both the client and server have verified that the other party has the username and password and mathematically agreed on the proof. Authentication is successful in this case.
SRP provides several security benefits:
- The password is never sent over the network, making it resistant to eavesdropping.
- It offers protection against offline dictionary and brute force attacks because the verifier stored on the server is derived from the user's password and a salt.
- It provides mutual authentication, meaning the client and the server verify each other's identity. It offers additional authentication over TLS.
SRP is widely used in secure authentication systems and can be particularly valuable in situations where secure remote authentication is crucial, such as online banking and other secure applications.