1 @node Shared-key and anonymous authentication
2 @section Shared-key and anonymous authentication
4 In addition to certificate authentication, the TLS protocol may be
5 used with password, shared-key and anonymous authentication methods.
6 The rest of this chapter discusses details of these methods.
10 * PSK authentication::
11 * Anonymous authentication::
14 @node SRP authentication
15 @subsection SRP authentication
18 * Authentication using SRP::
19 * srptool Invocation:: Invoking srptool
22 @node Authentication using SRP
23 @subsubsection Authentication using @acronym{SRP}
24 @cindex SRP authentication
26 @acronym{GnuTLS} supports authentication via the Secure Remote Password
27 or @acronym{SRP} protocol (see @xcite{RFC2945,TOMSRP} for a description).
28 The @acronym{SRP} key exchange is an extension to the
29 @acronym{TLS} protocol, and it provides an authenticated with a
30 password key exchange. The peers can be identified using a single password,
31 or there can be combinations where the client is authenticated using @acronym{SRP}
32 and the server using a certificate.
34 The advantage of @acronym{SRP} authentication, over other proposed
35 secure password authentication schemes, is that @acronym{SRP} is not
36 susceptible to off-line dictionary attacks.
37 Moreover, SRP does not require the server to hold the user's password.
38 This kind of protection is similar to the one used traditionally in the @acronym{UNIX}
39 @file{/etc/passwd} file, where the contents of this file did not cause
40 harm to the system security if they were revealed. The @acronym{SRP}
41 needs instead of the plain password something called a verifier, which
42 is calculated using the user's password, and if stolen cannot be used
43 to impersonate the user.
44 @c The Stanford @acronym{SRP} libraries, include a PAM module that synchronizes
45 @c the system's users passwords with the @acronym{SRP} password
46 @c files. That way @acronym{SRP} authentication could be used for all users
49 Typical conventions in SRP are a password file, called @file{tpasswd} that
50 holds the SRP verifiers (encoded passwords) and another file, @file{tpasswd.conf},
51 which holds the allowed SRP parameters. The included in GnuTLS helper
52 follow those conventions. The srptool program, discussed in the next section
53 is a tool to manipulate the SRP parameters.
55 The implementation in @acronym{GnuTLS} is based on @xcite{TLSSRP}. The
56 supported key exchange methods are shown below.
61 Authentication using the @acronym{SRP} protocol.
64 Client authentication using the @acronym{SRP} protocol. Server is
65 authenticated using a certificate with DSA parameters.
68 Client authentication using the @acronym{SRP} protocol. Server is
69 authenticated using a certificate with RSA parameters.
74 @showfuncdesc{gnutls_srp_verifier}
76 @showfuncB{gnutls_srp_base64_encode_alloc,gnutls_srp_base64_decode_alloc}
78 @include invoke-srptool.texi
80 @node PSK authentication
81 @subsection PSK authentication
84 * Authentication using PSK::
85 * psktool Invocation:: Invoking psktool
88 @node Authentication using PSK
89 @subsubsection Authentication using @acronym{PSK}
90 @cindex PSK authentication
92 Authentication using Pre-shared keys is a method to authenticate using
93 usernames and binary keys. This protocol avoids making use of public
94 key infrastructure and expensive calculations, thus it is suitable for
97 The implementation in @acronym{GnuTLS} is based on @xcite{TLSPSK}.
98 The supported @acronym{PSK} key exchange methods are:
103 Authentication using the @acronym{PSK} protocol.
106 Authentication using the @acronym{PSK} protocol and Diffie-Hellman key
107 exchange. This method offers perfect forward secrecy.
110 Authentication using the @acronym{PSK} protocol and Elliptic curve Diffie-Hellman key
111 exchange. This method offers perfect forward secrecy.
114 Authentication using the @acronym{PSK} protocol for the client and an RSA certificate
120 Helper functions to generate and maintain @acronym{PSK} keys are also included
123 @showfuncC{gnutls_key_generate,gnutls_hex_encode,gnutls_hex_decode}
125 @include invoke-psktool.texi
127 @node Anonymous authentication
128 @subsection Anonymous authentication
129 @cindex anonymous authentication
131 The anonymous key exchange offers encryption without any
132 indication of the peer's identity. This kind of authentication
133 is vulnerable to a man in the middle attack, but can be
134 used even if there is no prior communication or shared trusted parties
135 with the peer. It is useful to establish a session over which certificate
136 authentication will occur in order to hide the indentities of the participants
137 from passive eavesdroppers.
139 Unless in the above case, it is not recommended to use anonymous authentication.
140 In the cases where there is no prior communication with the peers,
141 an alternative with better properties, such as key continuity, is trust on first use
142 (see @ref{Verifying a certificate using trust on first use authentication}).
144 The available key exchange algorithms for anonymous authentication are
145 shown below, but note that few public servers support them, and they
146 have to be explicitly enabled.
151 This algorithm exchanges Diffie-Hellman parameters.
154 This algorithm exchanges elliptic curve Diffie-Hellman parameters. It is more
155 efficient than ANON_DH on equivalent security levels.