Groupe ON-X

Project EdelKey

The EdelKey project started in 2003 to study some possibilities and feasability to implement a remote key storage to remove the need to store cryptographic key on a local machine, and as a side effect allow mobility of users. one could call this "remote virtual smart card". The intended solution is to provide a PKCS#11 module that accesses via a secure protocol to a remote server via a secure remote procedure call of the PKCS#11 functions. As a means to secure the protocol, SRP-6 with TLS was selected which became RFC 5054 in November 2007.

Some pieces of the puzzle are available. So far, no documentation is available. Some reports and presentations had been given on conferences meanwhile.

openssl-0.9.7d+srp-beta4.patch

A initial patch for OpenSSL version 0.9.7d, implementing a draft version of the TLS/SRP protocol (not the final version of the RFC).

Features in first beta (2004-08-30):

The modification also allows to use the TLS servername extension.

Changes in beta 2 (2004-09-07):

Changes in beta 3 (2004-09-25):

Changes in beta 4 (2004-10-01):

Wishlist:

mod_ssl-2.8.19+srp-1.3.31-beta2.patch

A corresponding patch for mod_ssl, the well-known SSL glue for the Apache Web Server. Again, the current documentation is minimal:

Features in first beta (2004-09-08):

Changes in beta 2 (2004-10-01):

curl-7.12.1+srp-beta2

A patch enabling curl and libcurl to use the openssl srp patch mentioned above

Features in first beta (2004-09-25):

Changes in beta 2 (2004-10-01):

Support for SRP had been implemented meanwhile first for GNU-TLS, and then for the development version of OpenSSL.

Errors, wishlist and roadmap

The 0.9.7 implementation has some errors:

The following parts were mostly done during summer 2005. Since 2006 some code gets included into the openssl main code.

The SRP is simplified to a certain degree:

And the documentation ...??

On the road again

In 2008, Tom Wu to over the work and made available a port of the patch for the openssl 0.9.9 development version. Tom's team made three remarks concering the code:

You might follow the work in OpenSSL ticket 1794. The first patch needed a little bit of polishing in order to maintain ABI compatibility and there is also the point the EVP routines may return errors. Dne.

Since March 2011, the code has been integrated into the development branch. On March 14 2012, openssl 1.0.1 includes support for for SRP. time to do some documentation.

More ...

Are there issues with patents? I don't think so.

What about client authentication in email clients for POP, IMAP or SMTP?

Credits

Without the students working at EdelWeb, nothing would exist today.

Tom Wu was always available respond to our questions and to provide useful hints, and his interop tests with other implementations.

Quinn Slack has made a wiki about his work on SRP.