[gnutls-devel] [RFC] srp: Add resistance against guessing usernames

[Attila Molnar]

Hello everyone,

Currently, gnutls offers protection against attackers that attempt to
guess valid SRP usernames. This functionality is desirable, but with the
current implementation it is easy for a client to differentiate between
valid and invalid usernames.

The reason for this is that gnutls currently generates a random salt each
time a user is not found, meaning that if a client attempts to
authenticate with the same username multiple times and gets a different
salt every time then it can assume the username is invalid.

The provided patch aims to fix this by consistently generating the same
salt for each invalid username based on the username and a secret seed.
The seed can be set by the application, allowing it to supply a seed that
it can store and reload later. The length of the generated fake salts can
also be chosen by the application. The default is 16 bytes - the same as
in srptool, and the limit is 20 bytes (output size of HMAC-SHA1). This can
be lifted if necessary; I chose to go with it to keep the patch simple.

Salts generated by applications that make use of the new API will be
immune to this kind of valid username guessing.

Applications not setting the seed explicitly (e.g. all old applications
that are not aware of the new API) also benefit from this because an
attacker has to wait until the credentials structure used is reallocated
(which usually means wait until the application is restarted).
Although the advantage is obviously limited in this case, it is still
better than being able to connect a few times and compare the salts
immediately.

The patch is for master but I only managed to test it on top of 3.2.

If accepted, I am going to submit another patch that adds the new
functionality to gnutls-serv.

Please let me know what you think.

Regards, Attila