A Stolen-Verifier Attack against SRP-1: An attacker Anne steals Alice's verifier Xp. She then contacts the host: Anne computes T = Xp ^ -1 (mod N) (multplicative inverse) and picks a random number 1 < q < N - 1. Anne->Host: u, Wp = (g ^ q) * T (mod N) (instead of g^Ws) Host->Anne: s, Z = Xp + Yp (host computes Yp as normal) Host: S = (Wp * Xp) ^ Ys Ks = H(s) If we substitute for Wp here, the server's session key becomes: S = (g ^ q * T * Xp) ^ Ys = (g ^ q) ^ Ys = g ^ (q * Ys) Anne: Yp = Z - Xp (recovers Yp since Xp is known) Anne: S = Yp ^ q Anne: Kc = H(S) Since Yp ^ q = (g ^ Ys) ^ q = g ^ (q * Ys), Anne now has the same session key S as the host. All Anne needs to do is send Anne->Host: H(Z, Kc) to gain access to the host.SRP-2 and SRP-3 are both immune to this attack.
This file can be obtained as ASCII text. You can use the Perl implementation of SHA to verify its hash.