Upgrade to Pro — share decks privately, control downloads, hide ads and more …

L'histoire de SRP, le protocole d'authentification Zero-Knowledge

Willy Malvault
February 04, 2022
Programming
0
350

L'histoire de SRP, le protocole d'authentification Zero-Knowledge

Préambule : ce talk est une tentative de vulgarisation visant à expliquer un protocole simple à développer et à utiliser, mais qui repose sur des méthodes cryptographiques méconnues et qui pourraient rebuter certains développeurs. Sa démocratisation peut avoir un impact positif majeur sur la sécurité des internautes et sur la protection de leur vie privée.

Il était une fois des valeureux administrateurs et développeurs, qui devaient contrôler l'accès à des services de grande valeur, par une authentification à base de mot de passe. Les vénérés utilisateurs étaient riches d'un trésor de données personnelles et sensibles, et leurs mots de passe en étaient la clef. Leur vie aurait été merveilleuse, sans les terribles pirates à chapeau noir équipés de leurs redoutables tables en arc-en-ciel et les gigantesques grufalos, capables d'espionner et de cloner les mots de passe des utilisateurs pour leur voler, ou exploiter, leur trésor. Les valeureux développeurs et administrateurs luttaient contre les pirates grâce à des recettes à base de hash et de sels qu’ils se transmettaient de génération en génération. Mais sachez, braves et valeureux amis, qu'une ancienne recette indienne (d’Amérique) à l’efficacité redoutable a été déterrée, puis utilisée dans les terres helvétiques de ProtonMail : le protocole Secure Remote Password (aka SRP). En effet, cette recette "mathémagique" permet aux utilisateurs de s'authentifier simplement avec leur mot de passe, sans jamais exposer ces précieux sur le chaotique Internet. Les vilains pirates et les grufalos affamés ne peuvent donc plus espionner et voler les clefs du trésor, et la recette mathémagique simplifie grandement le travail des valeureux développeurs et administrateurs. Si à travers cette modeste histoire nous faisons connaitre SRP et participons à son adoption, alors c'est la fin du game pour les pirates à chapeau noir et les gigantesques grufalos (ou presque).

Secure Remote Protocol est un protocole d'authentification par mot de passe reposant sur une preuve à divulgation nulle de connaissance (Zero-Knowledge Proof). Il a été publié en 1998 par Tom Wu, de l'université de Stanford, puis standardisé en 2000 dans la RFC 2945. Il est notamment utilisé au quotidien par les millions d'utilisateurs de ProtonMail.

Willy Malvault

February 04, 2022
Tweet

More Decks by Willy Malvault

See All by Willy Malvault
SunnyTech 2022 - SRP - Le protocole d'authentification Zero-Knowledge, sous la forme d'un conte.
vlamy
0
78
How to avoid Kubernetes Driven Development
vlamy
0
67

Other Decks in Programming

See All in Programming
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
1
100
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
1
900
新宿ダンジョンを可視化してみた
satoshi7190
2
250
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
490
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
雑に思考を整理する技術と効能
konifar
59
29k
Site Reliability Engineering for GMO
pyama86
8
1k
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
230
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
4.1k
デフォルトにして至高、RubyMineの大好きな所
ruzia
0
360

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
Music & Morning Musume
bryan
41
5.6k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
Product Roadmaps are Hard
iamctodd
44
9.7k
Facilitating Awesome Meetings
lara
42
5.6k
Gamification - CAS2011
davidbonilla
76
4.6k
Become a Pro
speakerdeck
PRO
11
4.5k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Six Lessons from altMBA
skipperchong
21
3k
Ruby is Unlike a Banana
tanoku
96
10k

Transcript

  1. Snowcamp 2022 L'histoire de SRP, le protocole d'authentification Zero-Knowledge, contre

    les pirates à chapeau noir, leurs tables arc-en-ciel, et les grufalos Willy Malvault Oui ! Je sais ! Ce titre est beaucoup trop long et donne déjà mal à la tête… 🤯 Merci à vous d'être présent quand même 🙏Merci aux orgas du Snowcamp de ne pas avoir eu peur d'accepter ce talk au titre interminable 😘 Mais le sujet vaut le détour !

  2. Snowcamp 2022

  3. Snowcamp 2022 https://speakerdeck.com/vlamy/srp-snowcamp Willy Malvault - (chief ?) Cloud Native

    evangelist @Sogilis @wmalvault

  4. Snowcamp 2022 Intro " Once upon a time an Internet

    story "

  5. Snowcamp 2022 Alice and her friends were dreaming about a

    lot of useful services.

  6. Snowcamp 2022 But they only have access to a chaotic

    and untrusted Internet to reach these services

  7. Snowcamp 2022 Untrusted federative administration with no centralized control (and

    no police) Internet Chaotic unpredictable path and performance

  8. Snowcamp 2022 On a cloudy day, Alice wanted to book

    a covid test via an online service

  9. Snowcamp 2022 On a cloudy day, Alice wanted to book

    a covid test via an online service The only path to reach the service and get an appointment is via Internet !

  10. Snowcamp 2022 Alice 10/02/22 17:15 Bob 10/02/22 17:15 … …

    … Valiant Devops On a cloudy day, Alice wanted to book a covid test via an online service Manage The only path to reach the service and get an appointment is via Internet !

  11. Snowcamp 2022 " How do we authenticate Alice on an

    untrusted and unpredictable network ? "

  12. Snowcamp 2022 " How do we authenticate Alice on an

    untrusted and unpredictable network ? " " Let's use password authentication ! I've seen that on a spy movie. "

  13. Snowcamp 2022 Chapter 1 Password based authentication

  14. Snowcamp 2022 Alice 10/02/22 17:15 "123456" Bob 10/02/22 17:15 "azerty"

    … … … Let add a password attribute for users in our DB !

  15. Snowcamp 2022 Alice 10/02/22 17:15 "123456" Bob 10/02/22 17:15 "azerty"

    … … … Let add a password attribute for users in our DB ! 123456

  16. Snowcamp 2022 Alice 10/02/22 17:15 "123456" Bob 10/02/22 17:15 "azerty"

    … … … Let add a password attribute for users in our DB ! Brilliant ! 123456

  17. Snowcamp 2022 " Hey ! It's Alice ! " Password

    based authentication

  18. Snowcamp 2022 " Hey ! It's Alice ! " "

    Prove it with your password " Password based authentication

  19. Snowcamp 2022 " Hey ! It's Alice ! " "

    Prove it with your password " " Hey ! It's Alice ! " , "123456 " Alice "123456" Bob "azerty" … … Password based authentication

  20. Snowcamp 2022 " Hey ! It's Alice ! " "

    Prove it with your password " " Hey ! It's Alice ! " , "123456 " Alice "123456" Bob "azerty" … … " authentication successful Alice ! " OK Password based authentication

  21. Snowcamp 2022 Password based authentication Easy to code 👍 Few

    computations 👍 Human memory compatible 👍 Needs a subscription step 🤷

  22. Snowcamp 2022 But…

  23. Snowcamp 2022 But… Black hats Clever guys that build tools

    to break into databases and eavesdrop communications

  24. Snowcamp 2022 But… Black hats Clever guys that build tools

    to break into databases and eavesdrop communications Grufalos Giant monsters that can see and register anything that passes via Internet

  25. Snowcamp 2022 " Damned ! They will try to steal

    Alice's password ! I know she reuse them a lot (😭) ! And how can we trust Alice's authentication with that ? "

  26. Snowcamp 2022 " Damned ! They will try to steal

    Alice's password ! I know she reuse them a lot (😭) ! And how can we trust Alice's authentication with that ? " " Don't worry, we will add counter measures on time ! And we'll teach Alice not to reuse her passwords (💪) !"

  27. Snowcamp 2022 Chapter 2 Password attacks

  28. Snowcamp 2022 Man In The Middle attack (MITM)

  29. Snowcamp 2022 WoMan In The Middle attack (MITM) "Alice" ,

    "123456 " "Alice" , "123456 "

  30. Snowcamp 2022 "OK Alice !" WoMan In The Middle attack

    (MITM) "Alice" , "123456 " "Alice" , "123456 " "OK Alice !" Alice "123456" Bob "azerty" … … OK

  31. Snowcamp 2022 Alice "123456" Bob "azerty" … … "OK Alice

    !" OK WoMan In The Middle attack (MITM) "Alice" , "123456 " "Alice" , "123456 " "OK Alice !" "Alice" , "123456 " Later

  32. Snowcamp 2022 Alice "123456" Bob "azerty" … … "OK Alice

    !" OK Monsters In The Middle attack (MITM) "Alice" , "123456 " "Alice" , "123456 " "OK Alice !" "Alice" , "123456 " Later

  33. Snowcamp 2022 " How do we counter Man In The

    Middle ? "

  34. Snowcamp 2022 " How do we counter Man In The

    Middle ? " " I think it's time to make TLS mandatory ! HTTPS for everyone ! everywhere ! "

  35. Snowcamp 2022 … and they used TLS everywhere, which greatly

    mitigated MITM attacks ! 😊 👍

  36. Snowcamp 2022 … and they used TLS everywhere, which greatly

    mitigated MITM attacks ! Still, beware of the grufalos !!! They're capable to register everything and make cold analysis. Someday, they might retrieve your passwords. ⚠

  37. Snowcamp 2022 Compromised database attack " Hey ! I'm the

    new janitor, It's time for me to clean the server room. " " Sure ! We were waiting for you. "

  38. Snowcamp 2022 Compromised database attack " Hahaha ! Actually I'm

    a disguised pirate, and I'm here to spy the password database. " Alice "123456" Bob "azerty" … … Privilege escalation Copy database

  39. Snowcamp 2022 " The pirates are full of tricks !

    They succeeded to read our database ! The passwords are not safe anymore ! " " OK ! Let use hash functions so that we do not store password in our database anymore ! "

  40. Snowcamp 2022 Using one way hash function Alice "123456" Bob

    "azerty" … … • H is a one way hash function, P the password and h the print such that H(P) = h • It is easy to compute H(P), so we can do it for each authentication • It is mathematically difficult to found P if you only know h and H Alice "0xe41256" Bob "0xa97b12" … … H("123456") = 0xe41256 H("azerty") = 0xa97b12

  41. Snowcamp 2022 Using one way hash function Alice "0xe41256" Bob

    "0xa97b12" … … H("123456") = 0xe41256 "Alice" , "123456 " OK "OK Alice !"

  42. Snowcamp 2022 " Damned ! It' consumes too much time

    to retrieve passwords with these hash functions ! " " Hahaha ! I'll share my rainbow table with you dude ! "

  43. Snowcamp 2022 Rainbow table attack "123456" "azerty" … "0xe41256" "123456"

    "0xa97b12" "azerty" … … H("123456") = 0xe41256 H("azerty") = 0xa97b12 • Each time a pirate compromised a database, we use robots to find out passwords that generates these hashes • The rainbow table is a dictionary where the key is the hash and the value is the password (a bit more complicated, but you get the idea)

  44. Snowcamp 2022 Rainbow table attack "123456" "azerty" … "0xe41256" "123456"

    "0xa97b12" "azerty" … … H("123456") = 0xe41256 H("azerty") = 0xa97b12 • Each time a pirate compromised a database, we use robots to find out passwords that generates these hashes • The rainbow table is a dictionary where the key is the hash and the value is the password (a bit more complicated, but you get the idea) • This works well, as users reuse their passwords a lot 👿 • This works well, as everyone use public hash functions to implement H

  45. Snowcamp 2022 " I'm almost crying … These pirates never

    abandon. They have rainbow tables now ! " " Be brave ! We can use salts to mitigate the efficiency of their rainbow tables ! "

  46. Snowcamp 2022 Using salt to harden rainbow table attacks Alice

    "123456" Bob "azerty" … … • s is a randomly chosen salt, that is appended to passwords hashes Alice "0x8F8F8F" Bob "0xA986A" … … H("123456" + s) = 0x8F8F8F H("azerty" + s) = 0xA986A

  47. Snowcamp 2022 Using salt to harden rainbow table attacks Alice

    "123456" Bob "azerty" … … • s is a randomly chosen salt, that is appended to passwords before hashing • If each service uses its own randomly chosen secret salt: ◦ → all databases will have different values for the same password (even if they use the same H function) ◦ →pirates can no longer simply consolidate data from services Alice "0x8F8F8F" Bob "0xA986A" … … H("123456" + s) = 0x8F8F8F H("azerty" + s) = 0xA986A

  48. Snowcamp 2022 Combining hash function and salt Alice "0x8F8F8F" Bob

    "0xA986A" … … H("123456") + s = 0x8F8F8F "Alice" , "123456 " OK "OK Alice !"

  49. Snowcamp 2022 … and pirates makes better rainbow tables, while

    devops build better hash functions and salts, fighting each other endlessly.

  50. Snowcamp 2022 … and pirates makes better rainbow tables, while

    devops build better hash functions and salts, fighting each other endlessly. Still, the grufalos are there ! They're capable to register everything and make cold analysis. Someday, they might retrieve your passwords. ⚠

  51. Snowcamp 2022 Trust problem " This is too complicated for

    me ! I don't know if it's secure to provide my passwords to services via Internet ! "

  52. Snowcamp 2022 " How do we deal with the trust

    problem ? "

  53. Snowcamp 2022 " How do we deal with the trust

    problem ? " " Well… I don't know… We used hash function and salt for decades ! " " 😭" " 😭"

  54. Snowcamp 2022 " 😭 😭 😭"

  55. Snowcamp 2022 " 😭 😭 😭" " Why are you

    crying ? Little kitties ! "

  56. Snowcamp 2022 " 😭 😭 😭" " Why are you

    crying ? Little kitties ! " " Our password authentication is untrusted ! We're untrusted 😭 ! "

  57. Snowcamp 2022 " 😭 😭 😭" " Why are you

    crying ? Little kitties ! " " Our password authentication is untrusted ! We're untrusted 😭 ! " " Ho !? Dry your tears ! I have a mathemagical solution for you. Let leverage Zero-knowledge authentication with SRP ! "

  58. Snowcamp 2022 Chapter 3 Secure Remote Password aka SRP

  59. Snowcamp 2022 Let's make a deal ! When you see

    *, it's mathematical !

  60. Snowcamp 2022 X = H(s, "123456") SRP - registering credentials

    • s is a randomly chosen salt only used for the couple (Alice, Service) • H is a one-way hash function

  61. Snowcamp 2022 X = H(s, "123456") v = gˆx SRP

    - registering credentials "Alice" , "s", "v" • s is a randomly chosen salt only used for the couple (Alice, Service) • H is a one-way hash function • g is a public safe prime modulo generator (i.e. a constant number being part of the protocol, known by both peers.) * • v is called the "password verifier"

  62. Snowcamp 2022 X = H(s, "123456") v = gˆx SRP

    - registering credentials Alice "s" "v" Bob "s2" "v2" … … "Alice" , "s", "v" "Registration OK" , "Alice" • s is a randomly chosen salt only used for the couple (Alice, Service) • H is a one-way hash function • g is a public safe prime modulo generator (i.e. a constant number being part of the protocol, known by both peers.) * • v is called the "password verifier"

  63. Snowcamp 2022 Let's authenticate !

  64. Snowcamp 2022 A = g^a SRP - authentication - scrambling

    parameter Alice "s" "v" Bob "s2" "v2" … … "Alice" , "A" "B" B = v + g^b • a, b are private ephemeral random values * • A, B are public ephemeral values from a,b *

  65. Snowcamp 2022 A = g^a SRP - authentication - scrambling

    parameter Alice "s" "v" Bob "s2" "v2" … … "Alice" , "A" "B" B = v + g^b u = H(A, B) u = H(A, B) • a, b are private ephemeral random values * • A, B are public ephemeral values from a,b * • u is a common random scrambling parameter *

  66. Snowcamp 2022 SRP - authentication - session key Alice "s"

    "v" Bob "s2" "v2" … … x = H(s, P) "s"

  67. Snowcamp 2022 SRP - authentication - session key Alice "s"

    "v" Bob "s2" "v2" … … x = H(s, P) S = (Av^u) ^ b S = (B - g^x) ^ (a + ux) Mathemagical part ! *** "s"

  68. Snowcamp 2022 SRP - authentication - session key Alice "s"

    "v" Bob "s2" "v2" … … x = H(s, P) S = (Av^u) ^ b K = H(S) * S = (B - g^x) ^ (a + ux) K = H(S) * Mathemagical part ! *** "s"

  69. Snowcamp 2022 " Now Alice and the server share a

    private session key K. They use this key to encrypt messages, and have confidential communications. "

  70. Snowcamp 2022 " Now Alice and the server share a

    private session key K. They use this key to encrypt messages, and have confidential communications. " " OK ! But Alice is still not authenticated ! "

  71. Snowcamp 2022 " Now Alice and the server share a

    private session key K. They use this key to encrypt messages, and have confidential communications. " " OK ! But Alice is still not authenticated ! " " Yes Boy ! You are right ! "

  72. Snowcamp 2022 SRP - Key matching M = H(H(N) xor

    H(g), H("Alice"), s, A, B, K) * H(A, M, K) * " Yeah ! That rocks 🎉👏"

  73. Snowcamp 2022 " We have a zero-knowledge authentication protocol, immune

    to dictionary attacks, over an untrusted network ! "

  74. Snowcamp 2022 " We have a zero-knowledge authentication protocol, immune

    to dictionary attacks, over an untrusted network ! " " We did resolve the Trust problem Alice ! "

  75. Snowcamp 2022 " We have a zero-knowledge authentication protocol, immune

    to dictionary attacks, over an untrusted network ! " " OK ! We are losing this battle ! But the war is not over ! " " We did resolve the Trust problem Alice ! "

  76. Snowcamp 2022 Conclusions

  77. Snowcamp 2022 Password safety during authentication Traditional password hashing Secure

    Remote Password exposed 😈 Dictionary attack Imune🛡 exposed 😈 Man In the Middle attack Imune🛡 exposed 😈 Untrusted Service Imune🛡

  78. Snowcamp 2022 Usage of Secure Remote Password Blog article Blog

    article Official documentation

  79. Snowcamp 2022 SRP Limitations • Registration step is sensitive and

    could be eavesdropped • New generation is OPAQUE ◦ Hashing functions 1970 ◦ SRP 1998 ◦ OPAQUE 2019

  80. Snowcamp 2022 Resources • How bad we are with our

    passwords habits ◦ https://connect.ed-diamond.com/MISC/misc-094/psychologie-comportementa le-que-faire-du-mot-de-passe ◦ https://www.lastpass.com/fr/resources/ebook/psychology-of-passwords-2020 ◦ https://linc.cnil.fr/fr/de-azerty-paword-une-revue-des-pratiques-de-gestion-des -mots-de-passe ◦ https://github.com/tarraschk/richelieu • Miscellaneous ◦ https://www.password-hashing.net/ ◦ https://fr.wikipedia.org/wiki/Attaque_de_l%27homme_du_milieu ◦ https://pages.nist.gov/800-63-3/sp800-63b.html

  81. Snowcamp 2022 Resources • Secure Remote Password (paper, blog and

    RFCs) ◦ http://srp.stanford.edu/ (papers and RFCs) ◦ https://support.1password.com/secure-remote-password/ ◦ https://www.cryptologie.net/article/503/user-authentication-with-passwor ds-whats-srp/ ◦ https://protonmail.com/blog/encrypted_email_authentication/ • Secure Remote Password (Code) ◦ https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Imple mentations ◦ https://github.com/ProtonMail/WebClients • OPAQUE ◦ https://cfrg.github.io/draft-irtf-cfrg-opaque/draft-irtf-cfrg-opaque.html ◦ https://blog.cloudflare.com/opaque-oblivious-passwords/

  82. Snowcamp 2022 https://speakerdeck.com/vlamy/srp-snowcamp @wmalvault