Module srp6::protocol_details
source · [−]Expand description
A very brief summary of the papers and RFCs of SRP6 and SRP6a
SRP Vocabulary
N A large safe prime (N = 2q+1, where q is prime)
All arithmetic is done modulo N.
g A generator modulo N
k Multiplier parameter (k = H(N, g) in SRP-6a, k = 3 for legacy SRP-6)
s User's salt
I Username (the rfc calls it U)
p Cleartext Password
H() One-way hash function
^ (Modular) Exponentiation
u Random scrambling parameter
a,b Secret ephemeral values
A,B Public ephemeral values
x Private key (derived from p and s)
v Password verifier
S Session key
K Strong session key (SHA1 interleaved)
M Proof (calculated by the server)
M1 Proof provided by the client
SRP Formulas
Calculations by the client:
I, p = <read from user>
N, g, s, B = <read from server>
a = random()
A = g^a % N
u = SHA1(PAD(A) | PAD(B))
k = SHA1(N | PAD(g)) (k = 3 for legacy SRP-6)
x = SHA1(s | SHA1(I | ":" | p))
S = (B - (k * g^x)) ^ (a + (u * x)) % N
K = SHA_Interleave(S)
M = H(H(N) XOR H(g) | H(U) | s | A | B | K)
Calculations by the server:
N, g, s, v = <read from password file>
v = g^x % N
b = random()
k = SHA1(N | PAD(g))
B = k*v + g^b % N
A = <read from client>
u = SHA1(PAD(A) | PAD(B))
S = (A * v^u) ^ b % N
K = SHA_Interleave(S)
H(A | M | K)
Safeguards
- The user will abort if he receives one of
B mod N == 0
u == 0
- The host will abort if it detects that
A mod N == 0
. - The user must show his proof of
K
first. If the server detects that the user’s proof is incorrect, it must abort without showing its own proof ofK
.