design.html
9191797db29dd5def1333928a4f386446b525e88d5a6fadef41f6222bca7ff35
<html>
<head>
<title>SRP: Design Specifications</title>
</head>
<body fgcolor="#000000" bgcolor="#FFFFFF">
<h1>SRP Protocol Design</h1>
SRP is the newest addition to a new class of strong authentication
protocols that resist all the well-known passive and active attacks
over the network.
SRP borrows some elements from other key-exchange and
identification protcols and adds some subtle modifications and
refinements.
The result is a protocol that preserves the strength and
efficiency of the EKE family protocols while fixing some of
their shortcomings.
<pre>
N A large safe prime (N = 2q+1, where q is prime)
All arithmetic is done modulo N.
g A generator modulo N
s User's salt
U Username
p Cleartext Password
H() One-way hash function
^ (Modular) Exponentiation
t Security parameter
u Random scrambling parameter
a,b Secret ephemeral values
A,B Public ephemeral values
x Private key (derived from P and s)
v Password verifier
</pre>
The host stores passwords using the following formula:
<pre>
x = H(s, p) (s is chosen randomly)
v = g^x (computes password verifier)
</pre>
The host then keeps {u, s, v} in its password database.
The authentication protocol itself goes as follows:
<pre>
User -> Host: U, A = g^a (identifies self, a = random number)
Host -> User: s, B = v + g^b, u (sends salt, b = random number,
u = t-bit random number)
User: x = H(s, p) (user enters password)
User: S = (B - g^x) ^ (a + ux) (computes session key)
User: K = H(S)
Host: S = (Av^u) ^ b (computes session key)
Host: K = H(S)
</pre>
Now the two parties have a shared, strong session key K. To complete
authentication, they need to prove to each other that their keys match.
One possible way:
<pre>
User -> Host: M = H(H(N) xor H(g), H(U), s, A, B, K)
Host -> User: H(A, M, K)
</pre>
The two parties also employ the following safeguards:
<ol>
<li>The user will abort if he receives B == 0 (mod N) or u == 0.
<li>The host will abort if it detects that A == 0 (mod N).
<li>The user must show his proof of K first. If the server detects that
the user's proof is incorrect, it must abort without showing its own
proof of K.
</ol>
A <a href="ftp://srp.stanford.edu/pub/srp/srp.ps">paper</a> describing
this protocol is also available.
<p>
<hr>
<a href="index.html">Back</a>
</body>
</html>