7

The SRP protocol as described in RFC 2945 generates the password verifier:

x = SHA(<salt> | SHA(<username> | ":" | <raw password>))`
v = g^x % N

I have three questions: why use SHA twice, why involve the username and why add a separator? Do these add any practical security over x = SHA(<salt> | <raw password>)?

Community
  • 1
jnm2
  • 1,762
  • 14
  • 27

2 Answers2

7

SHA-1 is not an ideal hash function (actually, neither are the SHA-2 functions). The double hash invocation hides a few of the internal shortcomings of SHA-1. This is similar to HMAC, which also uses a double hash invocation for pretty much the same reasons. In more details, we want the function which maps the username-and-password to x (function selected by the salt among a family of functions) to behave like a random oracle, and the normal security properties of hash functions (collision resistance, preimage resistance) are not enough to guarantee such behavior.

The username is involved so as to make security proofs easier: it allows the security analysis to concentrate on a single user, without having to account for what happens when a given server accepts several users, each with his own password. The separator participates to the same goal: otherwise, "john" with the password "ny67dtzo" and "johnny" with the password "67dtzo" would live in the same world, security wise.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • What defines an ideal hash function, for this kind of application? – jnm2 Jun 16 '11 at 13:12
  • 2
    @jnm2: precise definition is a bit complex. Here, what is needed is that _x_ is uniformly distributed over the space of 160-bit values, which can be modeled with the mythical "random oracle". This in turn can be proven in the double-hash construction as long as the hash function (here SHA-1) uses the Merkle-Damgård construction over a compression function which is indistinguishable from a PRF. All the details require a dozen pages (at least). Summary: do not fiddle with it, use the double hash. – Thomas Pornin Jun 16 '11 at 13:33
  • Can I use SHA-2 in place of SHA-1? Would using a larger hash like SHA512 increase security at all? – jnm2 Jun 16 '11 at 13:41
  • 1
    @jnm2: on a general basis, do _not_ change cryptographic protocols in any way. It is just too easy to introduce weaknesses. In that specific instance, yes, you could use SHA-2 instead of SHA-1, that is, if you insist on not being compatible with the rest of the world. It will not change security much because SHA-1 output size does not induce a substantial weakness here (this is working on preimage resistance, hence already in the 2^160 realm). – Thomas Pornin Jun 16 '11 at 14:01
2

The separator is a good cryptographic design practice, whenever feeding multiple strings into a hash function. It helps prevent confusion between, e.g., username bob, password bydesign and username bobby, password design.

The general design principle is "Be careful when concatenating multiple strings, before hashing". You can find a more detailed explanation at that link. Violations of this design principle have led to flaws in the past, so it is good practice to always follow the design principle, even when you can't think of an obvious attack.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572