Ente adopts SRP

September 25, 2023
vishnu@ente.io

Over the last month we updated all our apps to use the Secure Remote Password protocol for authentication.

What is SRP?

Secure Remote Password (SRP) protocol is an elegant cryptographic method designed to enhance password based authentication systems. It allows a client and server to prove to each other that they know a secret without actually sharing the secret or its hash across the network.

How does it work?

To use SRP, we need:

  • a key derivation function (KDF) that can derive a very large number from your password (we've chosen Argon2id v1.3)
  • an SRP group consisting of two numbers: one very large prime and one generator (we've chosen the 4096-bit SRP group)

Setup

To setup SRP, the client generates some non-secret information, and stores it on our servers.

  1. User picks a password, from which the client derives a keyEncryptionKey, which is from there on used to encrypt the user's masterKey
  2. From this keyEncryptionKey, the client derives a loginKey using libsodium's crypto_kdf_derive_from_key
  3. The client then uses this loginKey and the pre-determined SRP group to generate a verifier
  4. This verifier, along with the SRP group is then sent to the server for storage, which is from there on never returned back to the client

Please note that it is computationally infeasible to deduce the password or any derived attributes from the verifier.

Authentication

During authentication, the client and server dance a bit, exchanging non-secret information. Post which the client combines this information with a secret that only it knows, and the server combines it with a secret that only it knows. Finally, both parties arrive at the same very large number, using the information available to them.

  1. The client fetches the public attributes for deriving the loginKey
  2. The client then asks the user for their password, using which their keyEncryptionKey is derived, and the client subsequently derives the loginKey from this keyEncryptionKey
  3. The client then generates a random secret identifier a and a non-secret identifier A from the pre-decided SRP group, and sends A to the server.
  4. The server in return generates a secret identifier b and a non-secret identifier B from the pre-decided SRP group, and returns B to the client.
  5. The client now generates an evidence using B and the secrets – loginKey and a. This is then sent to the server for verification.
  6. The server can verify the correctness of this evidence using the available verifier, A and the secret it owns – b.

Some beautiful Maths is used by both parties to arrive at the same evidence using the different bits of information available to them.

The server arriving at the same evidence is proof that the client has access to the correct password, without which the loginKey could not have been derived.

After this step, the server can authenticate the user's session and give it what it wants.

Why adopt SRP?

Ente's authentication flow previously required users to verify their email address, to access their key-derivation attributes which they could then be used in conjunction with their password to derive their keyEncryptionKey and subsequently their masterKey.

This meant that users had to always wait for an email with an OTP, to sign in. Aside the suboptimal UX, this was a deal breaker for our Authenticator app, where you might want to store the second-factor to your email account with us, potentially resulting in a deadlock.

Note: SRP can in addition be used to verify the authenticity of our servers and to encrypt non-secret data in transit. To reduce complexity, Ente will for now continue it's reliance on TLS for these.

Conclusion

With the adoption of SRP, we were able to remove the dependency on email verification. But if you are someone who likes the additional layer of security offered by your email, please turn it on from Settings > Security.

We're grateful to the team at Cure53 for recommending this change, and helping verify its correctness. This was an interesting bit of tech that we got to understand and adopt.

Credits


If you are a programmer who finds systems and security interesting, you might enjoy hanging out with us on our Matrix / Discord; and if you're looking for an end-to-end encrypted cloud to store your Photos, you are already on the correct website!