Cryptography Reference
In-Depth Information
the password from the verifier. Thus, the verifier-based protocols are those that
onlyrequire the verifier to be stored (not the password). However, in rectifying
the password-storage problem inherent in EKE, A-EKE destroys a desirable
propertythat is possessed byEKE, namely
forward secrecy
, which means that
revealing the password to a cryptanalyst does not help in obtaining session keys
of past sessions (see [272]). To address these problems and create a protocol
that has all the positive and none of the negative features of the EKE fam-
ily, a new protocol was developed at Stanford University in 1997, called
Secure
Remote Protocol
(SRP). SRP differs from the EKE familyin that instead of re-
lying on shared secrets such as passwords or their equivalents stored by a server,
SRP mandates that the server store a salt value (see Footnote 3.8 on page 136)
and a verifier. Without password storage, SRP is more secure than password
schemes, performing a secure keyexchange in the authentication process. We
now describe this protocol as a closing feature of this section.
Secure Remote Protocol (SRP-6) — Latest Version
Carol will interact with Victor to establish a password
k
, and upon mutual
authentication, a session key
S
will be used to establish a key
K
to be used to
encrypt all future traKc.
Background Assumptions
: All computations are carried out modulo a
preselected large prime
p
, and
α
is a primitive root modulo
p
, also preselected.
The prime
p
must be a
safe prime
, which means that (
p
1)
/
2 must be a prime.
These are public values.
H
is a hash function (typically SHA-1 is used with
SRP-6; see page 255). To establish a password
k
with Victor, Carol picks a
random salt
s
and computes
v
−
α
d
(mod
p
), where
d
=
H
(
s, k
), her private
key. Victor stores
v
and
s
as Carol's password verifier and salt. All equalities
below are assumed to be reductions modulo
p
for convenience.
Protocol Steps
:
≡
1. Carol sends
I
C
and
A
=
α
a
(where
a
is a nonce) to Victor.
2. Victor looks up her password entry, retrieves
s
and
v
from the database,
and sends both
s
and
B
=3
v
+
α
b
(where
b
is a nonce) to Carol.
3. Both Carol and Victor, independently, compute
u
=
H
(
A, B
).
5. Carol computes her private key
d
=
H
(
s, k
), then she calculates
S
=
(
B
3
α
d
)
(
a
+
ud
)
. Victor independentlycomputes
S
=(
Av
u
)
b
.
−
6. Both Carol and Victor applythe hash to get
K
=
H
(
S
), the session key.
7. To verifythat she has the correct ke, Carol sends
h
1
=
H
(
H
(
p
⊕
H
(
α
))
,H
(
I
C
)
,s,A,B,K
)
to Victor, where
⊕
is addition modulo 2.
8. Victor computes
h
1
and verifies that it matches the value of
h
1
sent by
Carol, then he sends
h
2
=
H
(
A, h
1
,K
) to her.
Search WWH ::
Custom Search