SRP-2 Protocol Design
This is a description of SRP-2, which resists the
attack recently discovered against SRP-1.
Although there are no known weaknesses in SRP-2, its use of a
composite modulus with unknown factorization makes parameter
certification a serious issue.
The SRP-3 protocol avoids these
issues by using a safe prime modulus and fixes the weakness
in SRP-1 using a different technique.
N The product of two safe primes p and q
(p = 2j+1, q = 2k+1, j, k, p, q all prime)
All arithmetic is done modulo N.
g A generator of the group G((p-1)(q-1)/2) mod N
s User's salt
u Username
P Cleartext Password
H() One-way hash function
^ (Modular) Exponentiation
Ws,Ys Secret values
Wp,Yp Public values
Xs Salted and hashed password
Xp Password verifier
The host stores passwords using the following formula:
Xs = s * H(P) (s is chosen randomly)
Xp = g ^ Xs (computes password verifier)
The host then keeps {u, s, Xp} in its password database.
The authentication protocol itself goes as follows:
User -> Host: u, Wp = g ^ Ws (identifies self, Ws = random number)
Host: Yp = g ^ Ys (Ys = random number)
Host -> User: s, Z = Xp + Yp (sends salt, adds verifier to residue)
User: Xs = s * H(P) (user enters password)
User: Yp = Z - (g ^ Xs) (recovers Yp from message)
User: S = Yp ^ (2*Ws + Xs) (computes session key)
User: K = H(S)
Host: S = (Wp^2 * Xp) ^ Ys (computes session key)
Host: K = H(S)
Now the two parties have a shared, strong session key K. To complete
authentication, they need to prove to each other that their keys match.
One possible way:
User -> Host: H(Z, K) (hash with host's value)
Host -> User: H(Wp, K) (hash with user's value)
The two parties also employ the following safeguards:
- The user will abort if he receives Z == 0 (mod N).
- The host will abort if it detects that Wp == 0 (mod N).
- The user must show his proof of K first. If the server detects that
the user's proof is incorrect, it must abort without showing its own
proof of K.
A paper describing
this protocol is also available.
Back