Secure remote password authentication
The Secure Remote Password (SRP) is an industry-standard nondisclosing authentication protocol (also characterized as a zero-knowledge protocol). This type of protocol enables a client-tier user to prove to an Authentication Service that the user has knowledge of a password without ever revealing that password to the middle-tier service. Nondisclosing authentication protocols protect against man-in-the-middle attacks that allows password-based mutual authentication of a client and server.
NEW IN 20.02.01 TrueSight Server Automation Authentication Service uses PBKDF2 along with SRP for additional security. Passwords are hashed with PBKDF2 before the SRP protocol is applied to them. For more information about PBKDF2, see PBKDF2 specification.
For SRP, the TrueSight Server Automation Authentication Service authenticates client-tier users against a registry of authorized users. In TrueSight Server Automation, this registry is a user table in the central Application Server database. Information in the user table is derived from the RBAC utility in the TrueSight Server Automation console.
After successfully authenticating the SRP user, the Authentication Service issues the client a session credential. At that point a TrueSight Server Automation client application can use the session credential to establish an authenticated secure session with the Application Service or Network Shell Proxy Service identified by the service URLs in the session credential.