Secure Remote Password Protocol - Protocol

Protocol

The following notation is used in this description of the protocol, version 6:

• q and N = 2q + 1 are chosen such that both are prime (which makes q a Sophie Germain prime and N a safe prime). N must be large enough so that computing discrete logarithms modulo N is infeasible.
• All arithmetic is performed in the field of integers modulo N, .
• g is a generator of the multiplicative group.
• k is a parameter derived by both sides; for example, k = H(N, g). This creates an asymmetry between the client and server sides of the protocol, meaning a man-in-the-middle attacker only gets 1 verification attempt per impersonation, rather than 2.
• s is a small salt.
• I is an identifying username.
• p is the user's password.
• H is a hash function; e.g., SHA-256.
• v is the host's password verifier, v = gx, x = H(s, p). Using of functions like PBKDF2 instead of H for password hashing is highly recommended.
• a and b are random.
• | denotes concatenation.

All other variables are defined in terms of these.

First, to establish a password p with Steve, Carol picks a small random salt s, and computes x = H(s, p), v = gx. Steve stores v and s, indexed by I, as Carol's password verifier and salt. x is discarded because it is equivalent to the plaintext password p. This step is completed before the system is used.

1. Carol → Steve: I and A = ga
2. Steve → Carol: s and B = kv + gb
3. Both: u = H(A, B)
4. Carol: S_Carol = (B − kgx)(a + ux) = (kv + gb − kgx)(a + ux) = (kgx − kgx + gb)(a + ux) = (gb)(a + ux)
5. Carol: K_Carol = H(S_Carol)
6. Steve: S_Steve = (Avu)b = (gavu)b = b = (gb)(a + ux)
7. Steve: K_Steve = H(S_Steve) = K_Carol

Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way is as follows:

1. Carol → Steve: M₁ = H. Steve verifies M₁.
2. Steve → Carol: M₂ = H(A | M₁ | K_Steve). Carol verifies M₂.

This method requires guessing more of the shared state to be successful in impersonation than just the key. While most of the additional state is public, private information could safely be added to the inputs to the hash function, like the server private key. The two parties also employ the following safeguards:

1. Carol will abort if she receives B == 0 (mod N) or u == 0.
2. Steve will abort if he receives A (mod N) == 0.
3. Carol must show her proof of K first. If Steve detects that Carol's proof is incorrect, he must abort without showing his own proof of K.