13.2. Configure Secure Remote Password Information
You must create a MBean service that provides an implementation of the
SRPVerifierStore
interface that integrates with your existing security information stores. The SRPVerifierStore
interface is shown in Example 13.2, “The SRPVerifierStore interface”.
Note
The default implementation of the
SRPVerifierStore
interface is not recommended for a production security environment because it requires all password hash information to be available as a file of serialized objects.
Example 13.2. The SRPVerifierStore interface
package org.jboss.security.srp; import java.io.IOException; import java.io.Serializable; import java.security.KeyException; public interface SRPVerifierStore { public static class VerifierInfo implements Serializable { public String username; public byte[] salt; public byte[] g; public byte[] N; } public VerifierInfo getUserVerifier(String username) throws KeyException, IOException; public void setUserVerifier(String username, VerifierInfo info) throws IOException; public void verifyUserChallenge(String username, Object auxChallenge) throws SecurityException; }
The primary function of a
SRPVerifierStore
implementation is to provide access to the SRPVerifierStore.VerifierInfo
object for a given user name. The getUserVerifier(String)
method is called by the SRPService
at that start of a user SRP session to obtain the parameters needed by the SRP algorithm. The elements of the VerifierInfo
objects are:
- username
- The user's name or id used to log in.
- verifier
- One-way hash of the password or PIN the user enters as proof of identity. The
org.jboss.security.Util
class has acalculateVerifier
method that performs that password hashing algorithm. The output password takes the formH(salt | H(username | ':' | password))
, whereH
is the SHA secure hash function as defined by RFC2945. The user name is converted from a string to abyte[]
using UTF-8 encoding. - salt
- Random number used to increase the difficulty of a brute force dictionary attack on the verifier password database in the event that the database is compromised. The value should be generated from a cryptographically strong random number algorithm when the user's existing clear-text password is hashed.
- g
- SRP algorithm primitive generator. This can be a well known fixed parameter rather than a per-user setting. The
org.jboss.security.srp.SRPConf
utility class provides several settings forg
, including a suitable default obtained viaSRPConf.getDefaultParams().g()
. - N
- SRP algorithm safe-prime modulus. This can be a well known fixed parameter rather than a per-user setting. The
org.jboss.security.srp.SRPConf
utility class provides several settings forN
including a good default which can obtained viaSRPConf.getDefaultParams().N()
.
Procedure 13.1. Integrate Existing Password Store
Read this procedure to understand the steps involved to integrate your existing password store.
Create Hashed Password Information Store
If your passwords are already stored in an irreversible hashed form, then this can only be done on a per-user basis (for example, as part of an upgrade procedure).You can implementsetUserVerifier(String, VerifierInfo)
as anoOp
method, or a method that throws an exception stating that the store is read-only.Create SRPVerifierStore Interface
You must create a customSRPVerifierStore
interface implementation that understands how to obtain theVerifierInfo
from the store you created.TheverifyUserChallenge(String, Object)
can be used to integrate existing hardware token based schemes like SafeWord or Radius into the SRP algorithm. This interface method is called only when the clientSRPLoginModule
configuration specifies thehasAuxChallenge
option.Create JNDI MBean
You must create a MBean that exposes theSRPVerifierStore
interface available to JNDI, and exposes any configurable parameters required.The defaultorg.jboss.security.srp.SRPVerifierStoreService
will allow you to implement this, however you can also implement the MBean using a Java properties file implementation ofSRPVerifierStore
(refer to Section 13.3, “Secure Remote Password Example”).