From 86856f497377aa0c9b39551a2df013b915be21ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 12 Mar 2013 18:23:11 +0100 Subject: Gonna try jboss srp implementation, because if I implement myself one we will have to audit it. --- src/org/jboss/security/srp/SRPServerSession.java | 285 +++++++++++++++++++++++ 1 file changed, 285 insertions(+) create mode 100644 src/org/jboss/security/srp/SRPServerSession.java (limited to 'src/org/jboss/security/srp/SRPServerSession.java') diff --git a/src/org/jboss/security/srp/SRPServerSession.java b/src/org/jboss/security/srp/SRPServerSession.java new file mode 100644 index 00000000..11dc6d4c --- /dev/null +++ b/src/org/jboss/security/srp/SRPServerSession.java @@ -0,0 +1,285 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.security.srp; + +import java.io.Serializable; +import java.math.BigInteger; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; + +import org.jboss.logging.Logger; +import org.jboss.crypto.CryptoUtil; + +/** The server side logic to the SRP protocol. The class is the server side + equivalent of the SRPClientSession object. An implementation of + SRPServerInterface creates an SRPServerSession on the start of a login + session. + + The client side algorithm using these classes consists of: + + 1. Get server, SRPServerInterface server = (SRPServerInterface) Naming.lookup(...); + 2. Get SRP parameters, SRPParameters params = server.getSRPParameters(username); + 3. Create a client session, SRPClientSession client = new SRPClientSession(username, password, params); + 4. Exchange public keys, byte[] A = client.exponential(); + byte[] B = server.init(username, A); + 5. Exchange challenges, byte[] M1 = client.response(B); + byte[] M2 = server.verify(username, M1); + 6. Verify the server response, if( client.verify(M2) == false ) + throw new SecurityException("Failed to validate server reply"); + 7. Validation complete + + Note that these steps are stateful. They must be performed in order and a + step cannot be repeated to update the session state. + + This product uses the 'Secure Remote Password' cryptographic + authentication system developed by Tom Wu (tjw@CS.Stanford.EDU). + + @author Scott.Stark@jboss.org + @version $Revision: 81038 $ + */ +public class SRPServerSession implements Serializable +{ + /** The serial version ID + @since 1.6 + */ + static final long serialVersionUID = -2448005747721323704L; + private static int B_LEN = 64; // 64 bits for 'b' + private static Logger log = Logger.getLogger(SRPServerSession.class); + + private SRPParameters params; + private BigInteger N; + private BigInteger g; + private BigInteger v; + private BigInteger b; + private BigInteger B; + private byte[] K; + /** The M1 = H(H(N) xor H(g) | H(U) | s | A | B | K) hash */ + private transient MessageDigest clientHash; + private byte[] M1; + /** The M2 = H(A | M | K) hash */ + private transient MessageDigest serverHash; + private byte[] M2; + + /** Creates a new SRP server session object from the username, password + verifier, and session parameters. + @param username, the user ID + @param vb, the password verifier byte sequence + @param params, the SRP parameters for the session + */ + public SRPServerSession(String username, byte[] vb, SRPParameters params) + { + this.params = params; + this.v = new BigInteger(1, vb); + this.g = new BigInteger(1, params.g); + this.N = new BigInteger(1, params.N); + if( log.isTraceEnabled() ) + log.trace("g: "+CryptoUtil.tob64(params.g)); + if( log.isTraceEnabled() ) + log.trace("v: "+CryptoUtil.tob64(vb)); + serverHash = CryptoUtil.newDigest(); + clientHash = CryptoUtil.newDigest(); + // H(N) + byte[] hn = CryptoUtil.newDigest().digest(params.N); + if( log.isTraceEnabled() ) + log.trace("H(N): "+CryptoUtil.tob64(hn)); + // H(g) + byte[] hg = CryptoUtil.newDigest().digest(params.g); + if( log.isTraceEnabled() ) + log.trace("H(g): "+CryptoUtil.tob64(hg)); + // clientHash = H(N) xor H(g) + byte[] hxg = CryptoUtil.xor(hn, hg, 20); + if( log.isTraceEnabled() ) + log.trace("H(N) xor H(g): "+CryptoUtil.tob64(hxg)); + clientHash.update(hxg); + if( log.isTraceEnabled() ) + { + MessageDigest tmp = CryptoUtil.copy(clientHash); + log.trace("H[H(N) xor H(g)]: "+CryptoUtil.tob64(tmp.digest())); + } + // clientHash = H(N) xor H(g) | H(U) + clientHash.update(CryptoUtil.newDigest().digest(username.getBytes())); + if( log.isTraceEnabled() ) + { + MessageDigest tmp = CryptoUtil.copy(clientHash); + log.trace("H[H(N) xor H(g) | H(U)]: "+CryptoUtil.tob64(tmp.digest())); + } + // clientHash = H(N) xor H(g) | H(U) | s + clientHash.update(params.s); + if( log.isTraceEnabled() ) + { + MessageDigest tmp = CryptoUtil.copy(clientHash); + log.trace("H[H(N) xor H(g) | H(U) | s]: "+CryptoUtil.tob64(tmp.digest())); + } + K = null; + } + + /** + * @returns The user's password salt + */ + public SRPParameters getParameters() + { + return params; + } + + /** + * @returns The exponential residue (parameter B) to be sent to the + * client. + */ + public byte[] exponential() + { + if(B == null) + { + BigInteger one = BigInteger.valueOf(1); + do + { + b = new BigInteger(B_LEN, CryptoUtil.getPRNG()); + } while(b.compareTo(one) <= 0); + B = v.add(g.modPow(b, N)); + if(B.compareTo(N) >= 0) + B = B.subtract(N); + } + return CryptoUtil.trim(B.toByteArray()); + } + + /** + @param ab The client's exponential (parameter A). + @returns The secret shared session K between client and server + @exception NoSuchAlgorithmException thrown if the session key + MessageDigest algorithm cannot be found. + */ + public void buildSessionKey(byte[] ab) throws NoSuchAlgorithmException + { + if( log.isTraceEnabled() ) + log.trace("A: "+CryptoUtil.tob64(ab)); + byte[] nb = CryptoUtil.trim(B.toByteArray()); + // clientHash = H(N) xor H(g) | H(U) | s | A + clientHash.update(ab); + if( log.isTraceEnabled() ) + { + MessageDigest tmp = CryptoUtil.copy(clientHash); + log.trace("H[H(N) xor H(g) | H(U) | s | A]: "+CryptoUtil.tob64(tmp.digest())); + } + // clientHash = H(N) xor H(g) | H(U) | A | B + clientHash.update(nb); + if( log.isTraceEnabled() ) + { + MessageDigest tmp = CryptoUtil.copy(clientHash); + log.trace("H[H(N) xor H(g) | H(U) | s | A | B]: "+CryptoUtil.tob64(tmp.digest())); + } + // serverHash = A + serverHash.update(ab); + // Calculate u as the first 32 bits of H(B) + byte[] hB = CryptoUtil.newDigest().digest(nb); + byte[] ub = + {hB[0], hB[1], hB[2], hB[3]}; + // Calculate S = (A * v^u) ^ b % N + BigInteger A = new BigInteger(1, ab); + if( log.isTraceEnabled() ) + log.trace("A: "+CryptoUtil.tob64(A.toByteArray())); + if( log.isTraceEnabled() ) + log.trace("B: "+CryptoUtil.tob64(B.toByteArray())); + if( log.isTraceEnabled() ) + log.trace("v: "+CryptoUtil.tob64(v.toByteArray())); + BigInteger u = new BigInteger(1, ub); + if( log.isTraceEnabled() ) + log.trace("u: "+CryptoUtil.tob64(u.toByteArray())); + BigInteger A_v2u = A.multiply(v.modPow(u, N)).mod(N); + if( log.isTraceEnabled() ) + log.trace("A * v^u: "+CryptoUtil.tob64(A_v2u.toByteArray())); + BigInteger S = A_v2u.modPow(b, N); + if( log.isTraceEnabled() ) + log.trace("S: "+CryptoUtil.tob64(S.toByteArray())); + // K = SessionHash(S) + MessageDigest sessionDigest = MessageDigest.getInstance(params.hashAlgorithm); + K = sessionDigest.digest(S.toByteArray()); + if( log.isTraceEnabled() ) + log.trace("K: "+CryptoUtil.tob64(K)); + // clientHash = H(N) xor H(g) | H(U) | A | B | K + clientHash.update(K); + if( log.isTraceEnabled() ) + { + MessageDigest tmp = CryptoUtil.copy(clientHash); + log.trace("H[H(N) xor H(g) | H(U) | s | A | B | K]: "+CryptoUtil.tob64(tmp.digest())); + } + } + + /** Returns the negotiated session K, K = SessionHash(S) + @return the private session K byte[] + @throws SecurityException - if the current thread does not have an + getSessionKey SRPPermission. + */ + public byte[] getSessionKey() throws SecurityException + { + SecurityManager sm = System.getSecurityManager(); + if( sm != null ) + { + SRPPermission p = new SRPPermission("getSessionKey"); + sm.checkPermission(p); + } + return K; + } + + /** + @returns M2 = H(A | M | K) + */ + public byte[] getServerResponse() + { + if( M2 == null ) + M2 = serverHash.digest(); + return M2; + } + public byte[] getClientResponse() + { + return M1; + } + + /** + * @param resp The client's response to the server's challenge + * @returns True if and only if the client's response was correct. + */ + public boolean verify(byte[] clientM1) + { + boolean valid = false; + // M1 = H(H(N) xor H(g) | H(U) | A | B | K) + M1 = clientHash.digest(); + if( log.isTraceEnabled() ) + { + log.trace("verify M1: "+CryptoUtil.tob64(M1)); + log.trace("verify clientM1: "+CryptoUtil.tob64(clientM1)); + } + if( Arrays.equals(clientM1, M1) ) + { + // serverHash = A | M + serverHash.update(M1); + // serverHash = A | M | K + serverHash.update(K); + if( log.isTraceEnabled() ) + { + MessageDigest tmp = CryptoUtil.copy(serverHash); + log.trace("H(A | M1 | K)"+CryptoUtil.tob64(tmp.digest())); + } + valid = true; + } + return valid; + } +} -- cgit v1.2.3