### Challenge 36: Implement Secure Remote Password (SRP)

[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)

In [2]:
from Crypto.Util import number
from Crypto.Random import random
from Crypto.Hash.SHA256 import SHA256Hash

<div class="alert alert-block alert-info">

To understand SRP, look at how you generate an AES key from DH; now, just observe you can do the "opposite" operation an generate a numeric parameter from a hash. Then:
    
Replace A and B with C and S (client & server)

</div>

<div class="alert alert-block alert-info">

You're going to want to do this at a REPL of some sort; it may take a couple tries.

It doesn't matter how you go from integer to string or string to integer (where things are going in or out of SHA256) as long as you do it consistently. I tested by using the ASCII decimal representation of integers as input to SHA256, and by converting the hexdigest to an integer when processing its output.

This is basically Diffie Hellman with a tweak of mixing the password into the public keys. The server also takes an extra step to avoid storing an easily crackable password-equivalent.

</div>

Per [Wikipedia](https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop):  

> A read–eval–print loop (REPL), also termed an interactive toplevel or language shell, is a simple, interactive computer programming environment that takes single user inputs (i.e., single expressions), evaluates (executes) them, and returns the result to the user; a program written in a REPL environment is executed piecewise. The term is usually used to refer to programming interfaces similar to the classic Lisp machine interactive environment. Common examples include command line shells and similar environments for programming languages, and the technique is very characteristic of scripting languages.[1]

Jupyter lab does a fine job.  :)

---
The description of this challenge didn't do a very good job of describing the protocol itself.  

For the current version (SRP-6a), the protocol looks like this (from Wikipedia implementation):

```H```, ```N```, ```g```, and ```k``` are known beforehand to both client and server:

0. server stores (```I```, ```s```, ```v```) in its password database
1. client sends username ```I``` and public ephemeral value ```A``` to the server
2. server sends user's salt ```s``` and public ephemeral value ```B``` to client 
3. client and server calculate the random scrambling parameter (```u```)
4. client computes session key (```S_c``` ==> ```K_c```)
5. server computes session key (```S_s``` ==> ```K_s```)
6. client sends proof of session key to server
7. server sends proof of session key to client

This challenge looks like it's based on the **legacy SRP-6 protocol**, which specifies k=3 instead of a hash H(N, g)

---

<div class="alert alert-block alert-info">   
    
    
```C & S```

Agree on N=[NIST Prime], g=2, k=3, I (email), P (password)


</div>

---
#### ```H```, ```N```, ```g```, and ```k``` are known beforehand to both client and server:

---

- ```H``` is SHA-256 

- ```N``` is a strong prime.  I randomly generate one using the Crypto.Util.number package.

- ```g = 2``` for SRP-6

- ```k = 3``` for SRP-6

- ```P``` we will assume was chosen when the user ```I``` was enrolled.

In [3]:
N = number.getStrongPrime(2048, e=0, false_positive_prob=1e-06, randfunc=None)
g = 2
k = 3
I = 'some.name@email.com'
P = 'BADPa$$word'

---

<div class="alert alert-block alert-info">   
    
```S```

1. Generate salt as random integer
2. Generate string xH=SHA256(salt|password)
3. Convert xH to integer x somehow (put 0x on hexdigest)
4. Generate v=g**x % N
5. Save everything but x, xH

</div>

---
0. server stores (```I```, ```s```, ```v```) in its password database

---

_Note: ```v``` is derived from ```s``` and ```P```, and is used to securely authenticate a client supplied password_

In [4]:
# Generate random salt (64-bit integer)
s = random.randint(0, 2**64-1)

# x = int(H(S|P))
# mySHA = SHA256Hash((str(s) + P).encode())
xH = SHA256Hash((str(s) + P).encode()).digest().hex()
x = int(xH, 16)

# v = g**x % N
v = pow(g, x, N)

# x is discarded.  s and v are stored with I in the server's password database.

S_record = {'I':I, 's':s, 'v':v}

---
<div class="alert alert-block alert-info">
    
```C->S```
    
Send I, A=g**a % N (a la Diffie Hellman)

</div>

---
1. client sends username ```I``` and public ephemeral value ```A``` to the server

---

Note:  ```a``` is the client's private key.  ```A``` is the client's public key.  *These are ephemeral / generated randomly for each session.*

In [4]:
a = random.randint(0, 2**64-1) % N
A = pow(g, a, N)

<div class="alert alert-block alert-info">
    
```S->C```
    
Send salt, B=kv + g**b % N

</div>

---
2. server sends user's salt ```s``` and public ephemeral value ```B``` to client 

---

Note:  ```b``` is the server's private key.  ```B``` is the server's public key.  *These are ephemeral / generated randomly for each session.*

In [5]:
b = random.randint(0, 2**64-1) % N
B = (k*v + pow(g, b, N)) % N

<div class="alert alert-block alert-info">    
    
```S, C```
    
Compute string uH = SHA256(A|B), u = integer of uH
    
</div>

---
3. client and server calculate the random scrambling parameter (```u```)

---

Note:  ```A``` and ```B``` are large integers (modulo ```N```).  Our SHA256 wants bytes.  We'll convert strings and concatenate, then encode as utf-8.  The client and server both know A and B (public keys) and perform the operation the same way.

In [6]:
mySHA = SHA256Hash((str(A) + str(B)).encode())
u = pow(g, int(mySHA.digest().hex(), 16), N)

<div class="alert alert-block alert-info">

```C```

1. Generate string xH=SHA256(salt|password)
2. Convert xH to integer x somehow (put 0x on hexdigest)
3. Generate S = (B - k * g \** x) \** (a + u * x) % N
4. Generate K = SHA256(S)

</div>

---
4. client computes session key (```S_c``` ==> ```K_c```)

---

Wikipedia and the challenge do this differently.  Wikipedia includes I in the hash.  Cryptopals just hashes ```salt|password```.  I followed the cryptopals challenge for this exercise.

In [7]:
mySHA = SHA256Hash(bytes(str(s) + P, 'utf-8'))
x = int(mySHA.digest().hex(), 16)

S_client = pow(B - k * pow(g, x, N), a + u * x, N)
mySHA = SHA256Hash(str(S_client).encode())
K_client = mySHA.digest()

<div class="alert alert-block alert-info">

```S```

1. Generate S = (A * v \** u) \** b % N
2. Generate K = SHA256(S)

</div>

---

5. server computes session key (```S_s``` ==> ```K_s```)

---

In [8]:
S_server = pow (A * pow(S_record['v'], u, N), b, N)
mySHA = SHA256Hash(str(S_server).encode())
K_server = mySHA.digest()

<div class="alert alert-block alert-info">

```C->S```
    
Send HMAC-SHA256(K, salt)

</div>

---
6. client sends proof of session key to server

---

Note:  The challenge uses a very simple technique to exchange proof of session key.   They both just send H(K, s) to each other.  

There are probably better ways... (based on this technique, nothing prevents the server from replaying the Client's proof of session key back to the Client).

In [9]:
mySHA = SHA256Hash(K_client + str(s).encode())
C_Proof = mySHA.digest()

<div class="alert alert-block alert-info">

```S->C```
    
Send "OK" if HMAC-SHA256(K, salt) validates

</div>

---
7. server sends proof of session key to client

---

In [10]:
mySHA = SHA256Hash(K_server + str(s).encode())
S_Proof = mySHA.digest()

In [11]:
print(f"S_Proof = {S_Proof.hex()}")
print(f"C_Proof = {C_Proof.hex()}")
print()
if S_Proof == C_Proof:
    print(f"Proofs of session keys validate on both sides")
else:
    print(f"Whoops")

S_Proof = 8b6cb100e0379760686caa4f934d1b45155617c88363c05146220660d5b21da4
C_Proof = 8b6cb100e0379760686caa4f934d1b45155617c88363c05146220660d5b21da4

Proofs of session keys validate on both sides


[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)