The SRP protocol is an implementation of a public key exchange handshake described in RFC2945. The RFC2945 abstract states: “This document describes a cryptographically strong network authentication mechanism known as the Secure Remote Password (SRP) protocol. This mechanism is suitable for negotiating secure connections using a user-supplied password, while eliminating the security problems traditionally associated with reusable passwords. This system also performs a secure key exchange in the process of authentication, allowing security layers (privacy and/or integrity protection) to be enabled during the session. Trusted key servers and certificate infrastructures are not required, and clients are not required to store or manage any long-term keys. SRP offers both security and deployment advantages over existing challenge-response techniques, making it an ideal drop-in replacement where secure password authentication is needed.”
SRP is similar in concept and security to other public key exchange algorithms like Diffie-Hellman and RSA. It does this using a simple passwords in a way that does not require a clear text password to exist on the server. This is in contrast to requiring client certificates and the corresponds certificate management infrastructure.
The JBossSX framework includes an implementation of SRP that consists of the following elements:
An implementation of the SRP handshake protocol that is independent of any particular client/server protocol
An RMI implementation of the handshake protocol as the default client/server SRP implementation
A client side JAAS LoginModule implementation that uses the RMI implimentation for use in authenticating clients in a secure fashion
A JMX MBean for managing the RMI server implementation. The mbean allows the RMI server implementation to be plugged into a JMX framework and externalizes the configuration of the verification information store. It also establishes a authentication cache that is bound into the JBoss server JNDI namespace.
A server side JAAS LoginModule implementation that uses the authentication cache managed by the SRP JMX MBean.
Figure 7.7 gives a diagram of the key components involved in the SRP client/server framework.
Наши друзья |