14.6.2. Configure Secure Remote Password (SRP) Protocol
To use Secure Remote Password (SRP) Protocol in your application, you first create an MBean which implements the
SRPVerifierStore
interface. Information about the implementation is provided in The SRPVerifierStore Implementation.
Procedure 14.5. Integrate the Existing Password Store
Create the hashed password information store.
If your passwords are already stored in an irreversible hashed form, you need to do this on a per-user basis.You can implementsetUserVerifier(String, VerifierInfo)
as a noOp method, or a method that throws an exception stating that the store is read-only.Create the SRPVerifierStore interface.
Create a customSRPVerifierStore
interface implementation that can obtain theVerifierInfo
from the store you created.TheverifyUserChallenge(String, Object)
can be used to integrate existing hardware token based schemes like SafeWord or Radius into the SRP algorithm. This interface method is called only when the client SRPLoginModule configuration specifies the hasAuxChallenge option.Create the JNDI MBean.
Create a MBean that exposes theSRPVerifierStore
interface available to JNDI, and exposes any configurable parameters required.The defaultorg.jboss.security.srp.SRPVerifierStoreService
allows you to implement this. You can also implement the MBean using a Java properties file implementation ofSRPVerifierStore
.
The SRPVerifierStore Implementation
The default implementation of the SRPVerifierStore
interface is not recommended for production systems, becauase it requires all password hash information to be available as a file of serialized objects.
The
SRPVerifierStore
implementation provides access to the SRPVerifierStore.VerifierInfo
object for a given username. The getUserVerifier(String)
method is called by the SRPService at the start of a user SRP session to obtain the parameters needed by the SRP algorithm.
Elements of a VerifierInfo Object
- username
- The username or user ID used to authenticate
- verifier
- A one-way hash of the password the user enters as proof of identity. The
org.jboss.security.Util
class includes acalculateVerifier
method which performs the password hashing algorithm. The output password takes the formH(salt | H(username | ':' | password))
, whereH
is the SHA secure hash function as defined by RFC2945. The username is converted from a string to a byte[] using UTF-8 encoding. - salt
- A random number used to increase the difficulty of a brute force dictionary attack on the verifier password database in the event that the database is compromised. The value should be generated from a cryptographically strong random number algorithm when the user's existing clear-text password is hashed.
- g
- The SRP algorithm primitive generator. This can be a well known fixed parameter rather than a per-user setting. The
org.jboss.security.srp.SRPConf
utility class provides several settings forg
, including a suitable default obtained viaSRPConf.getDefaultParams().g()
. - N
- The SRP algorithm safe-prime modulus. This can be a well-known fixed parameter rather than a per-user setting. The
org.jboss.security.srp.SRPConf
utility class provides several settings for N including a good default obtained viaSRPConf.getDefaultParams().N()
.
Example 14.15. The SRPVerifierStore Interface
package org.jboss.security.srp; import java.io.IOException; import java.io.Serializable; import java.security.KeyException; public interface SRPVerifierStore { public static class VerifierInfo implements Serializable { public String username; public byte[] salt; public byte[] g; public byte[] N; } public VerifierInfo getUserVerifier(String username) throws KeyException, IOException; public void setUserVerifier(String username, VerifierInfo info) throws IOException; public void verifyUserChallenge(String username, Object auxChallenge) throws SecurityException; }