2015-09-07 16:04:32 +02:00
|
|
|
## SRP Protocol Design
|
|
|
|
|
|
2015-09-07 15:56:28 +02:00
|
|
|
SRP is the newest addition to a new class of strong authentication
|
|
|
|
|
protocols that resist all the well-known passive and active attacks
|
|
|
|
|
over the network.
|
|
|
|
|
SRP borrows some elements from other key-exchange and
|
2015-09-07 16:04:32 +02:00
|
|
|
identification protocols and adds some subtle modifications and
|
2015-09-07 15:56:28 +02:00
|
|
|
refinements.
|
|
|
|
|
The result is a protocol that preserves the strength and
|
|
|
|
|
efficiency of the EKE family protocols while fixing some of
|
|
|
|
|
their shortcomings.
|
|
|
|
|
|
|
|
|
|
The following is a description of SRP-6 and 6a, the latest versions of SRP:
|
|
|
|
|
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
N A large safe prime (N = 2q+1, where q is prime)
|
|
|
|
|
All arithmetic is done modulo N.
|
|
|
|
|
g A generator modulo N
|
|
|
|
|
k Multiplier parameter (k = H(N, g) in SRP-6a, k = 3 for legacy SRP-6)
|
|
|
|
|
s User's salt
|
|
|
|
|
I Username
|
|
|
|
|
p Cleartext Password
|
|
|
|
|
H() One-way hash function
|
|
|
|
|
^ (Modular) Exponentiation
|
|
|
|
|
u Random scrambling parameter
|
|
|
|
|
a,b Secret ephemeral values
|
|
|
|
|
A,B Public ephemeral values
|
|
|
|
|
x Private key (derived from p and s)
|
|
|
|
|
v Password verifier
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
|
|
|
|
|
The host stores passwords using the following formula:
|
|
|
|
|
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
x = H(s, p) (s is chosen randomly)
|
|
|
|
|
v = g^x (computes password verifier)
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
|
|
|
|
|
The host then keeps {I, s, v} in its password database.
|
|
|
|
|
|
|
|
|
|
The authentication protocol itself goes as follows:
|
|
|
|
|
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
User -> Host: I, A = g^a (identifies self, a = random number)
|
|
|
|
|
Host -> User: s, B = kv + g^b (sends salt, b = random number)
|
|
|
|
|
|
|
|
|
|
Both: u = H(A, B)
|
|
|
|
|
|
|
|
|
|
User: x = H(s, p) (user enters password)
|
|
|
|
|
User: S = (B - kg^x) ^ (a + ux) (computes session key)
|
|
|
|
|
User: K = H(S)
|
|
|
|
|
|
|
|
|
|
Host: S = (Av^u) ^ b (computes session key)
|
|
|
|
|
Host: K = H(S)
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
|
|
|
|
|
Now the two parties have a shared, strong session key K. To complete
|
|
|
|
|
authentication, they need to prove to each other that their keys match.
|
|
|
|
|
One possible way:
|
|
|
|
|
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
User -> Host: M = H(H(N) xor H(g), H(I), s, A, B, K)
|
|
|
|
|
Host -> User: H(A, M, K)
|
2015-09-07 16:01:38 +02:00
|
|
|
```
|
2015-09-07 15:56:28 +02:00
|
|
|
|
|
|
|
|
The two parties also employ the following safeguards:
|
|
|
|
|
|
|
|
|
|
* The user will abort if he receives B == 0 (mod N) or u == 0.
|
|
|
|
|
* The host will abort if it detects that A == 0 (mod N).
|
|
|
|
|
* The user must show his proof of K first. If the server detects that
|
|
|
|
|
the user's proof is incorrect, it must abort without showing its own
|
|
|
|
|
proof of K.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A [paper](http://srp.stanford.edu/srp6.ps) describing this protocol is also
|
|
|
|
|
available, as well as a
|
|
|
|
|
[conference paper](ftp://srp.stanford.edu/pub/srp/srp.ps)
|
|
|
|
|
describing an older version of the protocol.
|
|
|
|
|
|
|
|
|
|
For historical interest, descriptions of the
|
|
|
|
|
previous versions of SRP are available on this site:
|
|
|
|
|
|
|
|
|
|
* [SRP-1](http://srp.stanford.edu/design1.html)
|
|
|
|
|
* [SRP-2](http://srp.stanford.edu/design2.html)
|
|
|
|
|
* [SRP-3](http://srp.stanford.edu/design3.html)
|
2015-09-07 16:03:10 +02:00
|
|
|
|
|
|
|
|
This document has been copied from [http://srp.stanford.edu/design.html](http://srp.stanford.edu/design.html)
|
