README for Version 2.1.2 of the SRP distribution ------------------------------------------------ SRP stands for the Secure Remote Password protocol, which is a secure password-based authentication and key-exchange mechanism that can be used to establish session security and mutual authentication over untrusted networks without requiring an external public-key infrastructure or trusted third parties. The SRP distribution consists of a fully- featured, portable library that implements SRP-based secure password authentication as well as implementations of popular applications and services like Telnet and FTP with support for transport security and SRP. These password-based applications leverage the strength of the SRP authentication mechanism to offer fairly good protection against both passive and active network attacks, which is an improvement over most existing password-only techniques. The SRP project originated at Stanford University and was originally developed as a joint effort between Tom Wu and Eugene Jhong. The distribution has grown into a fully-fledged Open Source project which is being maintained with the help of volunteers from around the world via the Internet, and it is free for commercial and non-commercial use, as long as the copyrights are included and appropriate credit is given (see docs/LICENSE for details). CONTENTS -------- The core SRP distribution consists of the SRP library, SRP Telnet, SRP FTP, and the EPS utilities, which are in the 'libsrp', 'telnet', 'ftp', and 'base' directories respectively. For instructions on how to compile and install the distribution, please read the INSTALL document. The SRP API library (libsrp) uses an underlying cryptographic library to perform the large-number operations specified by the SRP protocol. Currently, it supports OpenSSL, GNU MP, LibTomCrypt, LibTomMath, MPI, and CryptoLib, with more possibly on the way. The top-level configuration utility will attempt to use the same crypto library in Telnet and FTP, if applicable, to provide cryptographic algorithms for the applications themselves. Performance enthusiasts should read 'libsrp/README.speed' and 'libsrp/README.math', which compares the speed of SRP on various platforms and libraries. Implementors interested in integrating SRP authentication with their own applications and code should read 'libsrp/README.API'. TLS/SRP/X11 (TSX) Telnet is a secure Telnet client/server that uses SRP as strong password-based authentication and key-exchange mechanism, and SSL/TLS as an underlying Telnet transport security mechanism, both implemented as part of the Telnet standard. The document 'README.TLS' in the 'telnet' directory describes the following features supported by TSXtelnet in more detail: - TLS-based session security (draft-ietf-tn3270e-telnet-tls-05.txt) - Secure authentication with TLS: SRP, Kerberos V5 (draft-altman-rfc2944bis-01.txt and draft-altman-rfc2942bis-00.txt) - X11 connection forwarding (draft-altman-telnet-fwdx-02.txt) Telnet continues to support existing security options, which are already widely deployed in a variety of commerical and non-commercial Telnet products: - Classic Telnet authentication: SRP, Kerberos V4/V5, SPX, RSA (RFC 2941, RFC 2942, and RFC 2944) - Classic Telnet encryption: Triple-DES, DES, CAST-128, 40-bit CAST, (RFC 2946, RFC 2947, RFC 2948, RFC 2949, RFC 2950, RFC 2952, and RFC 2953) SRP FTP is in the 'ftp' subdirectory. This is an implementation of FTP that negotiates SRP authentication using the FTP security extensions specification and protects both data and control channels with strong encryption. RFC: 2228 (ftpext) The 'base' directory contains the EPS (Exponential Password Suite), which manages the new secure password-file format used by SRP. Sites are encouraged to migrate their users to this improved format once EPS has been installed. Of particular interest are the PAM modules in 'base/pam_eps'. These permit easy and seamless integration of EPS into existing installations without the need to replace system utilities. See 'base/pam_eps/README' for details. Java source code for a sample SRP implementation is located in the 'java' subdirectory. Documentation, naturally, is in the 'docs' subdirectory. The 1998 NDSS Symposium paper that describes SRP is in 'docs/srp.ps'. DISCLAIMERS ----------- The SRP distribution contains cryptographic software, although it contains no encryption algorithm implementations itself, only one-way hash functions and key-agreement algorithms. It does, however, contain hooks to external cryptographic libraries for strong encryption. Please be aware of any regulations on the export, import, or use of software that uses strong cryptography that may apply to you. Also read 'docs/LICENSE' for copyright information and disclaimers. ACKNOWLEDGMENTS --------------- This software is built on top of many other publicly available packages, and contains code and patches from countless sources, individuals and organizations alike. Please see the files "Acknowledgements" and "Copyrights" in the "docs" directory. CONTACT ------- The official Website for the SRP project is: http://srp.stanford.edu/ Please send all comments, suggestions, bug reports about this software to Tom Wu (tjw@cs.stanford.edu).