Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SunnyTech 2022 - SRP - Le protocole d'authentification Zero-Knowledge, sous la forme d'un conte.

Willy Malvault
July 07, 2022
Programming
0
78

SunnyTech 2022 - SRP - Le protocole d'authentification Zero-Knowledge, sous la forme d'un conte.

Préambule : ce talk est une tentative de vulgarisation visant à expliquer un protocole simple à développer et à utiliser, mais qui repose sur des méthodes cryptographiques méconnues et qui pourraient rebuter certains développeurs. Sa démocratisation peut avoir un impact positif majeur sur la sécurité des internautes et sur la protection de leur vie privée.

Il était une fois des valeureux administrateurs et développeurs, qui devaient contrôler l'accès à des services de grande valeur, par une authentification à base de mot de passe. Les vénérés utilisateurs étaient riches d'un trésor de données personnelles et sensibles, et leurs mots de passe en étaient la clef. Leur vie aurait été merveilleuse, sans les terribles pirates à chapeau noir équipés de leurs redoutables tables en arc-en-ciel et les gigantesques grufalos, capables d'espionner et de cloner les mots de passe des utilisateurs pour leur voler, ou exploiter, leur trésor. Les valeureux développeurs et administrateurs luttaient contre les pirates grâce à des recettes à base de hash et de sels qu’ils se transmettaient de génération en génération. Mais sachez, braves et valeureux amis, qu'une ancienne recette indienne (d’Amérique) à l’efficacité redoutable a été déterrée, puis utilisée dans les terres helvétiques de ProtonMail : le protocole Secure Remote Password (aka SRP). En effet, cette recette "mathémagique" permet aux utilisateurs de s'authentifier simplement avec leur mot de passe, sans jamais exposer ces précieux sur le chaotique Internet. Les vilains pirates et les grufalos affamés ne peuvent donc plus espionner et voler les clefs du trésor, et la recette mathémagique simplifie grandement le travail des valeureux développeurs et administrateurs. Si à travers cette modeste histoire nous faisons connaitre SRP et participons à son adoption, alors c'est la fin du game pour les pirates à chapeau noir et les gigantesques grufalos (ou presque).

Secure Remote Protocol est un protocole d'authentification par mot de passe reposant sur une preuve à divulgation nulle de connaissance (Zero-Knowledge Proof). Il a été publié en 1998 par Tom Wu, de l'université de Stanford, puis standardisé en 2000 dans la RFC 2945. Il est notamment utilisé au quotidien par les millions d'utilisateurs de ProtonMail.

Willy Malvault

July 07, 2022
Tweet

More Decks by Willy Malvault

See All by Willy Malvault
L'histoire de SRP, le protocole d'authentification Zero-Knowledge
vlamy
0
350
How to avoid Kubernetes Driven Development
vlamy
0
67

Other Decks in Programming

See All in Programming
敵対的ポイフル
futabato
0
130
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
240
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
120
"config" ってなんだ? / What is "config"?
okashoi
0
330
CREってこういうこと? 体験入社 - 提案資料 - / what-is-cre-trial-employment
shinden
1
520
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
890
Implementing Design Systems in Swift
seyfoyun
1
460
Ruby Function Composition
bkuhlmann
1
340
Deep Dive into React Stream/Serialize
mugi_uno
3
680
Milestoner
bkuhlmann
1
410
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
440
Anthropic Cookbook のおすすめレシピ
schroneko
7
1.2k

Featured

See All Featured
Music & Morning Musume
bryan
41
5.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
Optimising Largest Contentful Paint
csswizardry
12
2.4k
RailsConf 2023
tenderlove
8
550
XXLCSS - How to scale CSS and keep your sanity
sugarenia
242
1.2M
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Building Effective Engineering Teams - LeadDev
addyosmani
31
1.9k
Documentation Writing (for coders)
carmenintech
60
4k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Happy Clients
brianwarren
92
6.4k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Rails Girls Zürich Keynote
gr2m
91
13k

Transcript

  1. Sunnytech 2022 srp-sunnytech Willy Malvault

  2. Sunnytech 2022 L'histoire de SRP, le protocole d'authentification Zero-Knowledge, contre

    les pirates à chapeau noir, leurs tables arc-en-ciel, et les grufalos Willy Malvault

  3. Sunnytech 2022 https://speakerdeck.com/vlamy/srp-sunnytech Willy Malvault - Cloud Native principal @Sogilis

    @wmalvault

  4. Sunnytech 2022 Intro " Once upon a time… an Internet

    story "

  5. Sunnytech 2022 Alice and her friends were dreaming about a

    lot of useful services.

  6. Sunnytech 2022 But they only have access to a chaotic

    and untrusted Internet to reach these services

  7. Sunnytech 2022 Untrusted federative administration with no centralized control (and

    no police) Internet Chaotic unpredictable path and performance

  8. Sunnytech 2022 On a cloudy day, Alice wanted to book

    a covid test via an online service

  9. Sunnytech 2022 On a cloudy day, Alice wanted to book

    a covid test via an online service The only path to reach the service and get an appointment is via Internet !

  10. Sunnytech 2022 Alice 10/02/22 17:15 Bob 10/02/22 17:15 … …

    … Valiant Devops On a cloudy day, Alice wanted to book a covid test via an online service Manage The only path to reach the service and get an appointment is via Internet !

  11. Sunnytech 2022 " How do we authenticate Alice on an

    untrusted and unpredictable network ? "

  12. Sunnytech 2022 " How do we authenticate Alice on an

    untrusted and unpredictable network ? " " Let's use password authentication ! I've seen that on a spy movie. "

  13. Sunnytech 2022 Chapter 1 Password based authentication

  14. Sunnytech 2022 Alice 10/02/22 17:15 "123456" Bob 10/02/22 17:15 "azerty"

    … … … Let add a password attribute for users in our DB !

  15. Sunnytech 2022 Alice 10/02/22 17:15 "123456" Bob 10/02/22 17:15 "azerty"

    … … … Let add a password attribute for users in our DB ! 123456

  16. Sunnytech 2022 Alice 10/02/22 17:15 "123456" Bob 10/02/22 17:15 "azerty"

    … … … Let add a password attribute for users in our DB ! Brilliant ! 123456

  17. Sunnytech 2022 " Hey ! It's Alice ! " Password

    based authentication

  18. Sunnytech 2022 " Hey ! It's Alice ! " "

    Prove it with your password " Password based authentication

  19. Sunnytech 2022 " Hey ! It's Alice ! " "

    Prove it with your password " " Hey ! It's Alice ! " , "123456 " Alice "123456" Bob "azerty" … … Password based authentication

  20. Sunnytech 2022 " Hey ! It's Alice ! " "

    Prove it with your password " " Hey ! It's Alice ! " , "123456 " Alice "123456" Bob "azerty" … … " authentication successful Alice ! " OK Password based authentication

  21. Sunnytech 2022 Password based authentication Easy to code 👍 Few

    computations 👍 Human memory compatible 👍 Needs a subscription step 🤷

  22. Sunnytech 2022 But…

  23. Sunnytech 2022 But… Black hats Clever guys that build tools

    to break into databases and eavesdrop communications

  24. Sunnytech 2022 But… Black hats Clever guys that build tools

    to break into databases and eavesdrop communications Grufalos Giant monsters that can see and register anything that passes via Internet

  25. Sunnytech 2022 " Damned ! They will try to steal

    Alice's password ! I know she reuse them a lot (😭) ! And how can we trust Alice's authentication with that ? "

  26. Sunnytech 2022 " Damned ! They will try to steal

    Alice's password ! I know she reuse them a lot (😭) ! And how can we trust Alice's authentication with that ? " " Don't worry, we will add counter measures on time ! And we'll teach Alice not to reuse her passwords (💪) !"

  27. Sunnytech 2022 Chapter 2 Password attacks

  28. Sunnytech 2022 Man In The Middle attack (MITM)

  29. Sunnytech 2022 WoMan In The Middle attack (WITM) "Alice" ,

    "123456 " "Alice" , "123456 "

  30. Sunnytech 2022 "OK Alice !" WoMan In The Middle attack

    (WITM) "Alice" , "123456 " "Alice" , "123456 " "OK Alice !" Alice "123456" Bob "azerty" … … OK

  31. Sunnytech 2022 Alice "123456" Bob "azerty" … … "OK Alice

    !" OK WoMan In The Middle attack (WITM) "Alice" , "123456 " "Alice" , "123456 " "OK Alice !" "Alice" , "123456 " Later

  32. Sunnytech 2022 Alice "123456" Bob "azerty" … … "OK Alice

    !" OK Monsters In The Middle attack (WITM) "Alice" , "123456 " "Alice" , "123456 " "OK Alice !" "Alice" , "123456 " Later

  33. Sunnytech 2022 " How do we counter Man In The

    Middle ? "

  34. Sunnytech 2022 " How do we counter Man In The

    Middle ? " " I think it's time to make TLS mandatory ! HTTPS for everyone ! everywhere ! "

  35. Sunnytech 2022 … and they used TLS everywhere, which greatly

    mitigated MITM attacks ! 😊 👍

  36. Sunnytech 2022 … and they used TLS everywhere, which greatly

    mitigated MITM attacks ! Still, beware of the grufalos !!! They're capable to register everything and make cold analysis. Someday, they might retrieve your passwords. ⚠

  37. Sunnytech 2022 Compromised database attack " Hey ! I'm the

    new janitor, It's time for me to clean the server room. " " Sure ! We were waiting for you. "

  38. Sunnytech 2022 Compromised database attack " Hahaha ! Actually I'm

    a disguised pirate, and I'm here to spy the password database. " Alice "123456" Bob "azerty" … … Privilege escalation Copy database

  39. Sunnytech 2022 " The pirates are full of tricks !

    They succeeded to read our database ! The passwords are not safe anymore ! " " OK ! Let use hash functions so that we do not store password in our database anymore ! "

  40. Sunnytech 2022 Using one way hash function Alice "123456" Bob

    "azerty" … … • H is a one way hash function, P the password and h the print such that H(P) = h • It is easy to compute H(P), so we can do it for each authentication • It is mathematically difficult to found P if you only know h and H Alice "0xe41256" Bob "0xa97b12" … … H("123456") = 0xe41256 H("azerty") = 0xa97b12

  41. Sunnytech 2022 Using one way hash function Alice "0xe41256" Bob

    "0xa97b12" … … H("123456") = 0xe41256 "Alice" , "123456 " OK "OK Alice !"

  42. Sunnytech 2022 " Damned ! It' consumes too much time

    to retrieve passwords with these hash functions ! " " Hahaha ! I'll share my rainbow table with you dude ! "

  43. Sunnytech 2022 Rainbow table attack "123456" "azerty" … "0xe41256" "123456"

    "0xa97b12" "azerty" … … H("123456") = 0xe41256 H("azerty") = 0xa97b12 • Each time a pirate compromised a database, we use robots to find out passwords that generates these hashes • The rainbow table is a dictionary where the key is the hash and the value is the password (a bit more complicated, but you get the idea)

  44. Sunnytech 2022 Rainbow table attack "123456" "azerty" … "0xe41256" "123456"

    "0xa97b12" "azerty" … … H("123456") = 0xe41256 H("azerty") = 0xa97b12 • Each time a pirate compromised a database, we use robots to find out passwords that generates these hashes • The rainbow table is a dictionary where the key is the hash and the value is the password (a bit more complicated, but you get the idea) • This works well, as users reuse their passwords a lot 👿 • This works well, as everyone use public hash functions to implement H

  45. Sunnytech 2022 " I'm almost crying … These pirates never

    abandon. They have rainbow tables now ! " " Be brave ! We can use salts to mitigate the efficiency of their rainbow tables ! "

  46. Sunnytech 2022 Using salt to harden rainbow table attacks Alice

    "123456" Bob "azerty" … … • s is a randomly chosen salt, that is appended to passwords hashes Alice "0x8F8F8F" Bob "0xA986A" … … H("123456" + s) = 0x8F8F8F H("azerty" + s) = 0xA986A

  47. Sunnytech 2022 Using salt to harden rainbow table attacks Alice

    "123456" Bob "azerty" … … • s is a randomly chosen salt, that is appended to passwords before hashing • If each service uses its own randomly chosen secret salt: ◦ → all databases will have different values for the same password (even if they use the same H function) ◦ →pirates can no longer simply consolidate data from services Alice "0x8F8F8F" Bob "0xA986A" … … H("123456", s) = 0x8F8F8F H("azerty", s) = 0xA986A

  48. Sunnytech 2022 Combining hash function and salt Alice "0x8F8F8F" Bob

    "0xA986A" … … H("123456", s) = 0x8F8F8F "Alice" , "123456 " OK "OK Alice !"

  49. Sunnytech 2022 … and pirates makes better rainbow tables, while

    devops build better hash functions and salts, fighting each other endlessly.

  50. Sunnytech 2022 … and pirates makes better rainbow tables, while

    devops build better hash functions and salts, fighting each other endlessly. Still, the grufalos are there ! They're capable to register everything and make cold analysis. Someday, they might retrieve your passwords. ⚠

  51. Sunnytech 2022 Trust problem " This is too complicated for

    me ! I don't know if it's secure to provide my passwords to services via Internet ! "

  52. Sunnytech 2022 " How do we deal with the trust

    problem ? "

  53. Sunnytech 2022 " How do we deal with the trust

    problem ? " " Well… I don't know… We used hash function and salt for decades ! " " 😭" " 😭"

  54. Sunnytech 2022 " 😭 😭 😭"

  55. Sunnytech 2022 " 😭 😭 😭" " Why are you

    crying ? Little kitties ! "

  56. Sunnytech 2022 " 😭 😭 😭" " Why are you

    crying ? Little kitties ! " " Our password authentication is untrusted ! We're untrusted 😭 ! "

  57. Sunnytech 2022 " 😭 😭 😭" " Why are you

    crying ? Little kitties ! " " Our password authentication is untrusted ! We're untrusted 😭 ! " " Ho !? Dry your tears ! I have a mathemagical solution for you. Let leverage Zero-knowledge authentication with SRP ! "

  58. Sunnytech 2022 Chapter 3 Secure Remote Password aka SRP

  59. Sunnytech 2022 Let's make a deal ! When you see

    *, it's mathematical !

  60. Sunnytech 2022 X = H(s, "123456") SRP - registering credentials

    • s is a randomly chosen salt only used for the couple (Alice, Service) • H is a one-way hash function

  61. Sunnytech 2022 X = H(s, "123456") v = gˆx SRP

    - registering credentials "Alice" , "s", "v" • s is a randomly chosen salt only used for the couple (Alice, Service) • H is a one-way hash function • g is a public safe prime modulo generator (i.e. a constant number being part of the protocol, known by both peers.) * • v is called the "password verifier"

  62. Sunnytech 2022 X = H(s, "123456") v = gˆx SRP

    - registering credentials Alice "s" "v" Bob "s2" "v2" … … "Alice" , "s", "v" "Registration OK" , "Alice" • s is a randomly chosen salt only used for the couple (Alice, Service) • H is a one-way hash function • g is a public safe prime modulo generator (i.e. a constant number being part of the protocol, known by both peers.) * • v is called the "password verifier"

  63. Sunnytech 2022 Let's authenticate !

  64. Sunnytech 2022 A = g^a SRP - authentication - scrambling

    parameter Alice "s" "v" Bob "s2" "v2" … … "Alice" , "A" "B" B = v + g^b • a, b are private ephemeral random values * • A, B are public ephemeral values from a,b *

  65. Sunnytech 2022 A = g^a SRP - authentication - scrambling

    parameter Alice "s" "v" Bob "s2" "v2" … … "Alice" , "A" "B" B = v + g^b u = H(A, B) u = H(A, B) • a, b are private ephemeral random values * • A, B are public ephemeral values from a,b * • u is a common random scrambling parameter *

  66. Sunnytech 2022 SRP - authentication - session key Alice "s"

    "v" Bob "s2" "v2" … … x = H(s, P) "s"

  67. Sunnytech 2022 SRP - authentication - session key Alice "s"

    "v" Bob "s2" "v2" … … x = H(s, P) S = (Av^u) ^ b S = (B - g^x) ^ (a + ux) Mathemagical part ! *** "s"

  68. Sunnytech 2022 SRP - authentication - session key Alice "s"

    "v" Bob "s2" "v2" … … x = H(s, P) S = (Av^u) ^ b K = H(S) * S = (B - g^x) ^ (a + ux) K = H(S) * Mathemagical part ! *** "s"

  69. Sunnytech 2022 " Now Alice and the server share a

    private session key K. They use this key to encrypt messages, and have confidential communications. "

  70. Sunnytech 2022 " Now Alice and the server share a

    private session key K. They use this key to encrypt messages, and have confidential communications. " " OK ! But Alice is still not authenticated ! "

  71. Sunnytech 2022 " Now Alice and the server share a

    private session key K. They use this key to encrypt messages, and have confidential communications. " " OK ! But Alice is still not authenticated ! " " Yes Boy ! You are right ! "

  72. Sunnytech 2022 SRP - Key matching M = H(H(N) xor

    H(g), H("Alice"), s, A, B, K) * H(A, M, K) * " Yeah ! That rocks 🎉👏"

  73. Sunnytech 2022 " We have a zero-knowledge authentication protocol, immune

    to dictionary attacks, over an untrusted network ! "

  74. Sunnytech 2022 " We have a zero-knowledge authentication protocol, immune

    to dictionary attacks, over an untrusted network ! " " We did resolve the Trust problem Alice ! "

  75. Sunnytech 2022 " We have a zero-knowledge authentication protocol, immune

    to dictionary attacks, over an untrusted network ! " " OK ! We are losing this battle ! But the war is not over ! " " We did resolve the Trust problem Alice ! "

  76. Sunnytech 2022 Conclusions

  77. Sunnytech 2022 Password safety during authentication Traditional password hashing Secure

    Remote Password exposed 😈 Dictionary attack Imune🛡 exposed 😈 Man In the Middle attack Imune🛡 exposed 😈 Untrusted Service Imune🛡

  78. Sunnytech 2022 Usage of Secure Remote Password Blog article Blog

    article Official documentation

  79. Sunnytech 2022 SRP Limitations • Registration step is sensitive and

    could be eavesdropped • New generation is OPAQUE ◦ Hashing functions 1970 ◦ SRP 1998 ◦ OPAQUE 2019

  80. Sunnytech 2022 Resources • How bad we are with our

    passwords habits ◦ https://connect.ed-diamond.com/MISC/misc-094/psychologie-comportementa le-que-faire-du-mot-de-passe ◦ https://www.lastpass.com/fr/resources/ebook/psychology-of-passwords-2020 ◦ https://linc.cnil.fr/fr/de-azerty-paword-une-revue-des-pratiques-de-gestion-des -mots-de-passe ◦ https://github.com/tarraschk/richelieu • Miscellaneous ◦ https://www.password-hashing.net/ ◦ https://fr.wikipedia.org/wiki/Attaque_de_l%27homme_du_milieu ◦ https://pages.nist.gov/800-63-3/sp800-63b.html

  81. Sunnytech 2022 Resources • Secure Remote Password (paper, blog and

    RFCs) ◦ http://srp.stanford.edu/ (papers and RFCs) ◦ https://support.1password.com/secure-remote-password/ ◦ https://www.cryptologie.net/article/503/user-authentication-with-passwor ds-whats-srp/ ◦ https://protonmail.com/blog/encrypted_email_authentication/ • Secure Remote Password (Code) ◦ https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Imple mentations ◦ https://github.com/ProtonMail/WebClients • OPAQUE ◦ https://cfrg.github.io/draft-irtf-cfrg-opaque/draft-irtf-cfrg-opaque.html ◦ https://blog.cloudflare.com/opaque-oblivious-passwords/

  82. Sunnytech 2022 https://speakerdeck.com/vlamy/srp-sunnytech @wmalvault