[1877] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Services not required?

daemon@ATHENA.MIT.EDU (Tom Wu)
Mon Jun 15 07:29:01 1998

From: Tom Wu <tjw@CS.Stanford.EDU>
To: dsiemon@stratford.webgate.net (Dan Siemon)
Date: Thu, 11 Jun 1998 10:58:38 -0700 (PDT)
Cc: tjw@CS.Stanford.EDU, linux-security@redhat.com
In-Reply-To: <35800D42.A6784386@stratford.webgate.net> from "Dan Siemon" at Jun 11, 98 01:00:50 pm
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

Dan Siemon writes:
> 
> I am interested in a comparison of Telnet98(SRP) with SSH. Advantages?
> Disadvantages? How secure is it? Why use it instead of SSH?
> 
> Tom Wu wrote:
> > 
> > Replace unencrypted telnet with telnet-98.02.16, which supports
> > strong encryption via either SRP or Kerberos.  Run telnetd with
> > the "-a valid" option in inetd, which will permit only secure
> > connections to succeed.  The same applies to secure, SRP-enabled
> > FTP.  Windows and Linux clients/servers are at
> > <http://srp.stanford.edu/srp/>.

Advantages:

- SRP is not susceptible to the MITM attack against SSH even if the
  two hosts have never executed the SSH protocol before.
- SRP gives security equivalent to SSH's stored RSA key authentication
  (e.g. zero knowledge, perfect forward secrecy) with standard passwords
  and without client-side stored keys.
- SRP, in effect, solves the bootstrapping problem by leveraging a
  low-entropy secret (the password) into a high-entropy session key
  without being susceptible to dictionary attacks the way Kerberos,
  S/Key, and challenge-response protocols are.
- SRP is a pure authentication protocol, which uses no encryption to
  establish initial authentication.  Thus it is not subject to export
  restrictions.  Strength of the authentication is independent of the
  strength of the session cipher.  With perfect forward secrecy, even
  giving up the session key does not allow a dictionary attack against
  the password.  With SSH and Unix passwords, OTOH, compromising the
  session key compromises the plaintext password.
- Since authentication and encryption are orthogonal, one can, for
  example, export full-strength SRP from the US with 40-bit session
  crypto.

Disadvantages:

- Protocol is newer than RSA; it has only been widely known since mid-
  1997 and was published earlier this year.
- Fewer clients and servers support it... so far.  For example, a
  Mac client still needs to be written.  Wider awareness is probably
  the best way to rectify that situation.

The telnet98 source code is publicly available for scrutiny, of course,
and I would be willing to help get the patches into the NetKit telnet
for RedHat and other Linux distributions.  SRP is a simple Telnet
auth protocol extension, a la RFC 1416, so it is autonegotiated
like any other Telnet option; it would be nice to have a single
"super-telnet" binary that supported all the auth options and
servers that autodetected what mechanisms were supported at run
time.

Linux PAM modules are also available to handle the new Exponential
Password File Format, see <http://srp.stanford.edu/srp/> to download
them.
-- 
Tom Wu                        * finger -l tjw@xenon.stanford.edu for PGP key *
 E-mail: tjw@cs.Stanford.EDU          "The box said 'Requires Windows 95, NT,
  Phone: (650) 725-6969                   or better,' so I installed Linux."
   http://www-cs-students.stanford.edu/~tjw/   http://srp.stanford.edu/srp/

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post